Skip to content

Improve security hygiene and documentation #638

New issue
New issue
Closed
Closed
Improve security hygiene and documentation#638
Assignees
ricardoapl
Labels
kind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@ricardoapl

Description

@ricardoapl
ricardoapl
opened on Feb 11, 2024

I noticed prometheus-adapter is lacking in security documentation. I'm thinking about something similar to what was done in kubernetes/kube-state-metrics#2274 for Security Slam - Kubernetes Lightning Round.

Would you like to do this for prometheus-adapter? This means:

  • Generating an SBOM automatically when a new release is tagged, so that users have a better understanding of whether or not they're affected by a particular vulnerability
  • Generating SLSA/provenance attestation automatically for each new release, so that users can verify the authenticity and trustworthiness of the build process
  • Initializing VEX feed and generating OpenVEX data on each release, so that users have a better understanding of which vulnerabilities present a genuine risk
  • Setting up CLOMonitor tracking and following-up on any security checks

I believe this relates to https://github.com/kubernetes/sig-release/blob/193a3cdf8d73e0888c7f6829eea3716918a5af4a/roadmap.md

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions