Kubernetes-Security-Slam-2023

[SD-13]

Open tasks for the Kubernetes Security Slam 2023

• Ensure SBOMs are generated by Kubernetes BOM (task 3) @SD-13
• Ensure SLSA Attestations are generated when possible (task 4) @shafeeqes
• Ensure the project has a VEX Feed (task 5) @shafeeqes feat: Initialize OpenVEX feed #2275 feat: Generate OpenVX data for every release #2276
• Add project to CLOMonitor / Run tests for Clomonitor (task 7) @jescalada Onboard Kube State Metrics onto CLOMonitor cncf/clomonitor#1380
• Check for Binary Artifacts (task 8)
• Review the code review (task 9)
• Dangerous Workflow (task 10)
• Security Insights (task 11) @dalehenries chore: add Security Insights (task 11) #2278
• Dependencies policy (task 12)
• Dependency update tool (task 13)
• Token Permissions (task 16) @dalehenries ci: token permissions - security slam task 16 #2279

@puerco

---

Open questions

• feat: Initialize OpenVEX feed #2275 (review)
• docs: add OpenSSF Scorecard to README #2277 (comment)
• Onboard Kube State Metrics onto CLOMonitor cncf/clomonitor#1380 (review)

[mrueg]

/triage accepted

[jescalada]

I'd like to tackle Task 7!

[jescalada]

Please take a look at the CLOMonitor .yaml PR here:
cncf/clomonitor#1380

Thank you!

[SD-13]

Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline?

[dalehenries]

I looked into adding the OpenSSF Best Practices badge to the README, but I think a maintainer would need to first request the badge at https://www.bestpractices.dev/

[mrueg]

Hey @mrueg @dgrisonnet @rexagod I want to know whether kube-state-metrics is generating SBOM as part of the release pipeline. Where to look for the release pipeline?

We're currently not generating it. The release process is documented here: https://github.com/kubernetes/kube-state-metrics/blob/main/RELEASE.md If this is something that can be attached to a github release, it should be triggered by a release creating and execute a github action ideally that attaches the sbom

[rexagod]

I think https://github.com/advanced-security/gh-sbom (SBOM generation) coupled with https://github.com/anchore/sbom-action (SBOM pushes) should help accomplish the SBOM workflow.

[rexagod]

FYI Appended some open questions to the issue description.

[ricardoapl]

I think the following tasks are already done:

• Check for Binary Artifacts (task 8) (no binaries found in the repo)
• Review the code review (task 9) (all changesets reviewed)
• Dangerous Workflow (task 10) (no dangerous workflow patterns detected)
• Dependency update tool (task 13) (update tool detected, dependabot)

I think the following tasks are still missing something:

• Token Permissions (task 16)

What do you think about publishing the OpenVEX data with the remaining release artifacts?

@SD-13 do you mind if I assign Ensure SBOMs are generated by Kubernetes BOM (task 3) to me?

[SD-13]

@ricardoapl Please feel free to assign it to you!