Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Source code, CI/CD, and supply chain security #312

Open
14 tasks
aj-stein-gsa opened this issue Dec 21, 2024 · 1 comment
Open
14 tasks

Source code, CI/CD, and supply chain security #312

aj-stein-gsa opened this issue Dec 21, 2024 · 1 comment
Labels
dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation github_actions Pull requests that update GitHub Actions code java Pull requests that update Java code

Comments

@aj-stein-gsa
Copy link
Contributor

User Story

As a project maintainer, in order to have confidence in the code, how it is tested, built, and published, with it dependencies, in this repository hosting system and elsewhere, I want policy, process, and supporting automation to check security properties of the source code, the CI/CD system, and the supply chain of dependent software.

NOTE: Once maintainers (and interested community members) determine the overall policy and process approach, maintainers will integrate the relevant policy, process, and supporting automation into the other repositories. At that time, the list below will be cross-linked to relevant GitHub issues for other projects.

  • metaschema-framework/liboscal-java
  • metaschema-framework/oscal-cli
  • metaschema-framework/oscal-server
  • metaschema-framework/metaschema
  • metaschema-framework/metaschema.dev

Goals

  • Identify, monitor, and demonstrate key security properties of
    • this project's source code
    • changes to the code, specifically pull requests from community members that are not maintainers
    • it dependencies
    • the environment(s) used to test project code and dependencies
    • the environment(s) used to deploy project code and dependencies

Dependencies

N/A

Acceptance Criteria

  • All website and readme documentation affected by the changes in this issue have been updated.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

Revisions

No response
@aj-stein-gsa aj-stein-gsa added documentation Improvements or additions to documentation dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code java Pull requests that update Java code labels Dec 21, 2024
@david-waltermire
Copy link
Contributor

At the moment we currently have some security information in this repo. The same approach is used in metaschema-framework/liboscal-java and metaschema-framework/oscal-cli. Is addressing this a matter of adjusting what we have and replicating this?

The websites have a slightly different CI/CD due to the different implementation nature. These will need a more specialized approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file documentation Improvements or additions to documentation github_actions Pull requests that update GitHub Actions code java Pull requests that update Java code
Projects
Spec and Tooling Work Board
Status: To Triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@david-waltermire @aj-stein-gsa