Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Microcks security self-assessment #1451

Merged
merged 22 commits into from
Mar 12, 2025
Merged
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
272a629
Add Microcks security self-assessment
yada Mar 5, 2025
215cf1e
Update Microcks security self-assessment based on checks errors
yada Mar 5, 2025
9165c40
Merge branch 'cncf:main' into main
yada Mar 5, 2025
7b64ab0
Update Microcks security self-assessment, chore: lint errors
yada Mar 5, 2025
06fb388
Update Microcks security self-assessment, chore: lint errors.
yada Mar 5, 2025
147a88b
Update Microcks security self-assessment, chore: lint errors.. add pi…
yada Mar 5, 2025
1b59f21
Update Microcks security self-assessment, chore: lint errors, Line le…
yada Mar 5, 2025
0ed3f73
Update Microcks security self-assessment, chore: lint errors, Line le…
yada Mar 5, 2025
55e5fc9
Update Microcks security self-assessment, chore: lint errors again
yada Mar 5, 2025
076ca02
Update Microcks security self-assessment, chore: lint errors again.
yada Mar 5, 2025
533028e
Update Microcks security self-assessment, chore: lint errors again..
yada Mar 5, 2025
19e767b
Update Microcks security self-assessment, chore: lint errors again...
yada Mar 5, 2025
c3b11e3
Update Microcks security self-assessment, chore: lint errors again....
yada Mar 5, 2025
02a18af
Update Microcks security self-assessment, chore: add cSpell:ignore words
yada Mar 5, 2025
7211df8
Update Microcks security self-assessment, chore: add cSpell:ignore wo…
yada Mar 5, 2025
790de93
Merge branch 'cncf:main' into main
yada Mar 6, 2025
5579324
Update Microcks security self-assessment, chore: Assessment Stage tp …
yada Mar 6, 2025
913fe11
Update Microcks security self-assessment, chore: OpenSSF score from 9…
yada Mar 7, 2025
64d3aed
Update: point people to our SECURITY.MD so they know how to report a …
yada Mar 10, 2025
ad2e6d5
Update to include all requested changes and additional information to…
yada Mar 11, 2025
11aa8ef
fix linter issues and check errors
yada Mar 11, 2025
b9c2611
Update and explain the competitive advantage of Microcks and clarify …
yada Mar 11, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update Microcks security self-assessment, chore: lint errors again...
Signed-off-by: Yacine Kheddache <yacine@microcks.io>
  • Loading branch information
yada committed Mar 5, 2025
commit 19e767bf37147159dfdeb47bf0d8ffc649e5fb38
7 changes: 5 additions & 2 deletions community/assessments/projects/microcks/self-assessment.md
Original file line number Diff line number Diff line change
@@ -156,13 +156,16 @@ As a Github hosted project, we rely on the Github authentication mechanisms. All

#### Release, testing and assessment process

Microcks components are distributed as OCI container images for container runtimes such as Docker or Podman. The Microcks container images adhere to a versioning scheme where the **x.y.z** or **x.y.z-fix-N** (for critical fixes) tag denotes a stable release from a GitHub repo tag and is immutable. Additionally, there are mutable tags like `latest` and `nightly` that point to the most recent stable or potentially unstable build, respectively.
Microcks components are distributed as OCI container images for container runtimes such as Docker or Podman.
The Microcks container images adhere to a versioning scheme where the **x.y.z** or **x.y.z-fix-N** (for critical fixes) tag denotes a stable release from a GitHub repo tag and is immutable.
Additionally, there are mutable tags like `latest` and `nightly` that point to the most recent stable or potentially unstable build, respectively.

The project has fully [automated the build and release process](https://github.com/microcks/microcks/issues/1468) so all delivered components and their provenance attestations are signed using the GitHub Action provided identities (following the in-toto framework).

For a full description of [Microcks container images](https://microcks.io/documentation/references/container-images/ ), software supply chain security including SBOM and provenance attestations.

We have also made significant efforts to enhance our **overall security and compliance** across all **19 repositories** using **CLOMonitor checks** ([View CLOMonitor Report](https://clomonitor.io/projects/cncf/microcks)). Currently, our **overall CLOMonitor score is 98**, rating Microcks at an **"A" grade**. This was a **long process initiated in June 2024** ([Issue #1201](https://github.com/microcks/microcks/issues/1201)), reflecting our continued commitment to improving project security and best practices.
We have also made significant efforts to enhance our **overall security and compliance** across all **19 repositories** using **CLOMonitor checks** ([View CLOMonitor Report](https://clomonitor.io/projects/cncf/microcks)).
Currently, our **overall CLOMonitor score is 98**, rating Microcks at an **"A" grade**. This was a **long process initiated in June 2024** ([Issue #1201](https://github.com/microcks/microcks/issues/1201)), reflecting our continued commitment to improving project security and best practices.

Microcks ranks **#8 among 205 CNCF projects** (including Incubating and Graduated projects!). Additionally, we hold the **top position** for the **most repositories and checks among all CNCF projects**.