Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operator CLO Monitor Tracking #3179

Open
9 tasks
jaronoff97 opened this issue Jul 29, 2024 · 2 comments
Open
9 tasks

Operator CLO Monitor Tracking #3179

jaronoff97 opened this issue Jul 29, 2024 · 2 comments
Assignees
@led0nk
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers

Comments

@jaronoff97
Copy link
Contributor

jaronoff97 commented Jul 29, 2024
edited
Loading

Describe the issue you're reporting

As part of the project infra SIG, we're working on some CLO monitoring improvements, and these are the issues the CLOMonitor found for the operator. We don't need to solve everything here, but it would be great to work on this towards improvement repo conformance.

opentelemetry-operator

clomonitor link
project link

License

  • License scanning
    • License scanning software scans and automatically identifies, manages and addresses open source licensing issues.
    • AFOSSAorSnyklink is found in the repository'sREADMEfile.

Security

  • Software bill of materials (SBOM)
    • List of components in a piece of software, including licenses, versions, etc.
    • The latest release on Github includes an asset which name containssbom.
  • Signed releases (from OpenSSF Scorecard)
    • This check tries to determine if the project cryptographically signs release artifacts.
  • Security insights
    • Projects should provide an OpenSSF Security Insights manifest file.
    • A valid OpenSSF Security Insightsmanifest file(SECURITY-INSIGHTS.yml) is found at the root of the repository.
  • Token permissions (from OpenSSF Scorecard)
    • This check determines whether the project's automated workflows tokens are set to read-only by default.
  • Dependencies policy
    • Project should provide a dependencies policy that describes how dependencies are consumed and updated.
    • The url of the dependencies policy is available in thedependencies > env-dependencies-policysection of theOpenSSF Security Insightsmanifest file(SECURITY-INSIGHTS.yml) that should be located at the root of the repository.

Best Practices

  • OpenSSF best practices badge
    • The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.
    • AnOpenSSFbest practices badge is found in the repository'sREADMEfile.
  • Artifact Hub badge
    • Projects can list their content on Artifact Hub to improve their discoverability.
    • AnArtifact Hubbadge is found in the repository'sREADMEfile.
  • OpenSSF Scorecard badge
@jaronoff97 jaronoff97 added needs triage documentation Improvements or additions to documentation discuss-at-sig This issue or PR should be discussed at the next SIG meeting good first issue Good for newcomers and removed needs triage discuss-at-sig This issue or PR should be discussed at the next SIG meeting labels Jul 29, 2024
@frzifus
Copy link
Member

frzifus commented Aug 1, 2024

@led0nk something for you too? :)

@led0nk
Copy link

led0nk commented Aug 2, 2024

sure, i will have a look into this (maybe some assistance needed)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@led0nk led0nk

Labels
documentation Improvements or additions to documentation good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaronoff97 @led0nk @frzifus