Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Improve security hygiene and documentation #638

Closed
ricardoapl opened this issue Feb 11, 2024 · 3 comments
Closed

Improve security hygiene and documentation #638

ricardoapl opened this issue Feb 11, 2024 · 3 comments
Assignees
@ricardoapl
Labels
kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@ricardoapl
Copy link
Member

ricardoapl commented Feb 11, 2024
edited
Loading

I noticed prometheus-adapter is lacking in security documentation. I'm thinking about something similar to what was done in kubernetes/kube-state-metrics#2274 for Security Slam - Kubernetes Lightning Round.

Would you like to do this for prometheus-adapter? This means:

  • Generating an SBOM automatically when a new release is tagged, so that users have a better understanding of whether or not they're affected by a particular vulnerability
  • Generating SLSA/provenance attestation automatically for each new release, so that users can verify the authenticity and trustworthiness of the build process
  • Initializing VEX feed and generating OpenVEX data on each release, so that users have a better understanding of which vulnerabilities present a genuine risk
  • Setting up CLOMonitor tracking and following-up on any security checks

I believe this relates to https://github.com/kubernetes/sig-release/blob/193a3cdf8d73e0888c7f6829eea3716918a5af4a/roadmap.md
@ricardoapl ricardoapl added the kind/bug Categorizes issue or PR as related to a bug. label Feb 11, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Feb 11, 2024
@dashpole
Copy link

/assign @ricardoapl
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Feb 22, 2024
This was referenced Mar 2, 2024
Closed
Closed
@ricardoapl
Copy link
Member Author

Maybe we can close this since prometheus-adapter will be archived?

/cc @dgrisonnet

@ricardoapl ricardoapl mentioned this issue Mar 8, 2024
Open
@dgrisonnet
Copy link
Member

Yes 👍

@ricardoapl ricardoapl mentioned this issue Jun 27, 2024
Closed
11 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@ricardoapl ricardoapl

Labels
kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dashpole @k8s-ci-robot @dgrisonnet @ricardoapl