Giters

cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!

Home Page:https://tag-security.cncf.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Security Self-Assessment] KubeVirt

molofgarb opened this issue · comments

commented

Details

Project Name: KubeVirt

Github URL: https://github.com/kubevirt/kubevirt

CNCF project stage: Incubation preparing for Graduation

Security Provider: No

Self-assessment link (before PR): KubeVirt Security Self-Assessment

Tasks

  • Stage 1: Preparation

    • Create a GitHub issue for the security self assessment of KubeVirt project.
      • Issue Link in CNCF Tag-Security:
    • Create a place holder of security self assessment.
    • Review Documentation of the KubeVirt project.

  • Stage 2: Understand the Project Landscape

    • Understand the overall project at a sufficient level of detail.
    • Update overview section
      • Background
        commit: <commit_link>
      • Actors
        commit: <commit_link>
      • Actions
        commit: <commit_link>
      • Goals
        commit: <commit_link>
      • Non-Goals
        commit: <commit_link>

  • Stage 3: First complete draft of the Self Assessment

    • Document technical specifications of the KubeVirt project.
      • Self assessment use
        commit: <commit_link>
      • Security functions and features
        commit: <commit_link>
      • Project compliance
        commit: <commit_link>
      • Secure development practices
        commit: <commit_link>
      • Security issue resolution
        commit: <commit_link>
      • Appendix
        commit: <commit_link>
    • Complete the security self assessment draft.

  • Stage 4: Iteration with the project

    • Initiate discussion with KubeVirt project maintainers.
    • Incorporate inputs and feedback from KubeVirt project maintainers.
    • Document the findings.

  • Stage 5: Finalization

    • Initiate PR
    • Get feedback and findings from reviewers
    • Fix the findings
    • Merge the PR
    • Close the issue
commented

Kubevirt has already been assessed and in progress

commented

@molofgarb I apologize for the confusion. You should do the Security Pals work on the project, but please fork the repo and only open an issue in the last step (when we're ready to ask TAG Security to review and merge).

Pranava and I will update the guidance to be clearer.