CLOMonitoring for CNCF Security Slam

[eddie-knight]

Hey folks! Raising this discussion for feedback prior to creating any review slog for the maintainers.

I'm working on the CNCF security slam. The experience doesn't explicitly include this project, but since I'm a fan of the project, I'd like to create some pull requests to improve the project's security posture following the CNCF guidelines. This will help me personally to get some practice on implementing this type of change in a familiar codebase, so if it isn't a burden I would like to start making PRs tomorrow (Thurs 9/29).

According to CLOMonitor, there are 23 changes that will be required. Below the hr in this thread, I will link to the results I found and then supply two different optional processes that can be followed to replicate the scan.

The feedback I'm looking for is this...

1. Will these PR(s) be welcome (not a trouble for the maintainers to review)?
2. If so, how would you like me to organize the PR(s), as there may be up to 23 such changes?
3. I believe an issue will need to be created with information similar to what I'm posting here... can you confirm this?

Thanks so much!

---

To read more about the CNCF security slam

https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/attend/experiences/

To see the CLOMonitor results that I am currently viewing:

Edit: this is run against my fork, so not all 23 results are accurate for the main repository.
https://lift.sonatype.com/results/github.com/eddie-knight/argo-helm/01GE3F84W0B01Z93TWFG12Y1DX

To replicate the CLOMonitor scan yourself:

Option 1- Local Installation of the CLO Web Server
This option is detailed exhaustively in the documentation for CLO monitor, which can be found on the website here or the project repo here. This process may require a bit of effort, but will give you a complete CLO web service locally that is identical to the web platform that runs scheduled checks.

Option 2- Github Pull Request Integration of CLO using Lift
Lift is an incubating project that is free forever on public GitHub repos. By enabling CLOMonitor on Lift, you can quickly see a simplified view of your results either on demand or on pull request creation. It may be also enabled on a fork if you are not ready to integrate it to your primary repo.

1. Enable Sonatype Lift to run on your project’s repository following the docs here.
2. Create a .lift.toml file in your projects root directory with the following to enable on demand CLOMonitor scans:

customTools=["/extra-tools/clomonitor.sh"]

3. If you would like to disable all of Lift’s default build, linting, and CVE scans in order to expedite this CLOMonitor scan, add the following line as well:

tools=[]

4. Select your repository on the Lift dashboard
   choose the appropriate branch from the drop down
5. Press the “Analyze” button to run the scans configured for your project.

[pdrastil]

Hi @eddie-knight - personally I really welcome such contribution. Send what you have and we can setup additional processes based on the recommendations.

[pdrastil]

You can also reach us on CNCF slack if you need anything - we are checking #argo-helm-charts channel.

[mkilchhofer]

Yes, I also welcome this type of contributions. Maybe we need to check what check set applies to our repository. Maybe code-lite or community?

[eddie-knight]

Good call, @mkilchhofer-- I think it could definitely be categorized as code-lite. I'll keep that in mind as I draw up the PRs.

Thanks for the quick answer everyone!!