[Security Self-Assessment] OpenKruise
bradcush opened this issue · comments
bradley cushing commented
Details
Project Name: OpenKruise
Github URL: https://github.com/openkruise/kruise
CNCF project stage: Incubating
Security Provider: No
Self-assessment link: OpenKruise Self-assessment
Tasks
Stage-1: Preparation
- Create a GitHub issue:
- Create a Github issue in CNCF TAG-Security Github repository to initiate the process.
- Update the information in the Github issue.
- Review the Project Information:
- Review available project information and documentation.
- This includes prior KubeCon talks, webpages, project documentation, etc.
- Create draft security self-assessment document:
- Fork the CNCF TAG-Security repository.
- Create a new folder for your project in the assessments/projects folder.
- Create a draft document for the security self assessment in your project folder.
- This document includes metadata details and placeholders for all sections.
- Update the Metadata section of the document.
Stage-2: Understanding the Project
- Security Pals must understand the overall project at a sufficient level of details like:
- Project functionality and typical usage.
- Roles of involved parties (e.g., sidecar, central server, maintainers).
- Actions performed (e.g., data collection, query language, software release).
- Project's goals (e.g., access control, software source control).
- Project's non-goals (e.g., preventing insider data leaks).
- Complete the following in the Overview section of the self assessment document:
- About Project
- Background
- Actors
- Actions
- Goals
- Non-Goals
Stage-3: First draft of the Self Assessment
- Complete the following sections in the self assessment document:
- Self assessment use
- Security functions and features
- Project compliance
- Secure development practices
- Security issue resolution
- Appendix
Stage-4: Iteration with the project
- Discuss and resolve open questions with project maintainers.
- Take their inputs into the self-assessment.
- Finalize the self-assessment.
- Submit Pull Request to CNCF TAG-security with a finalized security self-assessment document.
Stage-5: Finailization
- Fix self assessment based on feedback from TAG-Security reviewers
- Merge the Pull Request.
bradley cushing commented
This has been moved to Rana-KV#4