►
From YouTube: CNCF SIG Security 2021-02-03
Description
CNCF SIG Security 2021-02-03
B
C
C
B
A
No
problem
at
some
point
I
might
actually
get
to
jump
on
and
do
some
security
stuff
in
addition
to
the
facilitating
a
just.
As
I
thought
I
had
sort
of
a
break,
I
just
had
a
lot
more
responsibilities,
sort
of
lumped
on
me
at
home
and
at
work
so
just
had
to
budget
my
time,
but
I'm
going
for
my
ph
soon.
So
there's
a
plus.
A
B
A
B
A
A
A
D
E
D
A
I
got
a
little
micro
kubernetes
one
at
a
conference
a
couple
years
back
for
my
son
who's
now
six.
So
if
he
sees
me
where
my
now
worn
an
old
kubernetes
one,
he
sort
of
instinctively
knows,
I
don't
know
what
it
means
but
I'll
put
on
the
micro
kubernetes
one
and
stand
next
to
that.
So
you've
got
this
sort
of
gay
s.
Micro
k,
that's
joke!
Going.
A
Okay,
we're
a
couple
minutes
in
I'm,
just
gonna
double
check
here,
all
right
so
we'll
I
guess
officially
get
things
underway.
So
before
we
proceed
good
day,
everyone
just
a
reminder
that
these
meetings
are
recorded
and
automatically
uploaded
afterwards
to
youtube.
So
all
members
are
asked
that
by
taking
part
in
these
meetings,
they're
agreeing
to
the
cncf
security
policy
on
behavior
and
conversing
on
this
channel,
it
can
all
be
found
in
our
get
on
our
github
page
in
the
repo.
A
If
anyone
wants
to
look
at
it
in
depth
and
with
that
said,
first
and
foremost
we'll
go
for
scribes
here
see
we
can
get
so,
I
believe
brandon.
We
already
have
you
volunteering
for
that
role
and
if
anyone
else
wants
to
pick
up
scribe
role
as
well,
please
feel
free
to
jump
in
there
and
I
believe,
brandon's
already
posted
the
links
in
the
chat
to
essentially
the
sign
up
sheet
and
the
document
will
be
going
over
today
and
with
that.
We
shall
jump
into
this.
A
A
Okay
on
the
next
one,
then
all
right.
So
then
from
here
the
plan
is
just
to
go
through
the
general
topics
we
already
have
on
the
agenda
and
then
afterwards
we'll
open
the
floor.
If
anyone
wants
to
bring
up
anything
related
to
specific
ticket
or
pull
request
in
our
github
instance
and
then
finally
just
general
open
floor.
If
there's
anything
he
wants
to
bring
up
in
general
or
if
there's
any
new
attendees,
that
would
like
a
chance
to
introduce
themselves.
A
C
C
We
can
take
it
on
the
fly
like
I
didn't,
come
up
with
a
proper
webinar
agenda,
but
I
wanted
to
bring
this
like
as
more
of
an
open
discussion,
gotcha
yeah
right,
so
just
just
by
means
of
introduction.
My
name
is
shubra
carr,
I'm
the
cto
of
the
linux
foundation,
and
I
have
a
decent
engineering
team
and
we
have
been
working
on
a
bunch
of
tools
for
all
linux
foundation
projects
and
many
of
these
tools
we're
build
building
from
scratch.
C
I
won't
be
able
to
walk
you
through
all
the
tooling
I'll
focus
on
security
and
for
security.
You
know
what
we
have
done
is
we
cannot
build
everything,
because,
obviously
my
team
is
not
a
a
group
of
security
experts,
so
we
have
partnered
and
with
a
lot
of
sca
vendors
and
come
up
with
an
integrated
solution
where
we
can.
You
know
all
linux
foundation,
projects
and
sister
foundation
projects,
including
cncf,
can
gain
the
benefits.
Okay,
so
for
security
right
like
before
we
go
into
that.
C
Like
this
whole
platform,
this
lfx
platform
is
a
set
of
digital
tool
chains
and
our
goal
is
to
build
more
sustainable,
open
source
projects
and,
as
we
are
like,
how
can
we
help
these
projects?
Succeed
right,
like
obviously
I'll,
be
preaching
to
the
choir
here.
If
I
tell
you
like
how
strong
our
community
is
and
how
it's
been
rapidly
growing,
but
you
know
we
start
hitting
issues
around
scale.
We
start
hitting
issues
around
like
how
do
we
manage
best
practices
across
the
board?
C
Security,
in
particular
always
becomes
kind
of
you
know
an
afterthought.
It's
not
embedded
right
at
the
development
tool
chain.
So
how
can
we
make
that
process
better
right?
So
by
way
of
introduction,
you
can
check
this
out
later.
You
know,
there's
a
website
called
lfx.dev
and
then
you
can
find,
like
you
know,
context
around.
Each
of
these
products
by
the
way
like
cncf,
is
already
using
many
of
the
products
in
the
tool
chain.
C
So,
if
you're
looking
at
like
cla,
you
know
kubernetes
grpc,
open
telemetry,
a
lot
of
those
projects
use
easy
cla.
We
have
the
mentorship
tool
which
most
cncf
projects
did
active
mentorships
last
year.
This
year,
just
yesterday
I
approved
like
30
40
mentorships
in
there,
crowdfunding
was
another
one
that
was
used,
landscape
actually
came
out
of
cncf
and
we
have
tried
to
productize
it
and
you
know
make
it
available
for
other
projects
to
use
easily
community
events
like
if
you
go
to
community.cncf.io.
C
C
C
So
this
would
be
really
good
for
you
to
check
out
and
eventually
we
want
to
drive
adoption,
because
there's
a
lot
more
metrics
around
the
ecosystem,
not
just
code
and
today
we're
going
to
deep
dive
into
security,
and
then
there
is
a
solution
called
an
individual
profile
or
an
individual
dashboard.
This
is
around,
like
you
know
your
sso,
your
credential
management,
your
code
attribution
affiliation,
trainings
events,
you
are
speaking
at
it's,
creating
a
global
community
profile
for
every
member
of
the
community,
okay,
so
in
security,
you
know
it's
a
shared
responsibility.
C
We
all
want
to.
You
know,
drive
that,
but
again
key
things
we
were
trying
to
solve
from
a
solution.
Perspective
was
like
you
know.
We
had
all
these
projects
being
worried
that
you
know
hackers
will
exploit
our
code
and
you
know
it's
like
chicken
and
egg.
If
you
think
that
you
know
hackers
need
a
tool
to
find
out
where
our
code
weaknesses
are,
then
you
know
we
are
kidding
ourselves
right
like
they
have.
They
already
know
where
these
vulnerabilities
are.
C
Now
this,
when
I
talk
about
security,
you
know
ip
risk
is
another
element.
It's
not
just
the
code
licensing
plays
into
that
as
well.
So
you
know
code
is
made
in
a
sandwich.
It's
a
stack
right,
it's
not
just
native
code
like
the
linux
kernel,
you
have
dependencies
and
you
know
whenever
you're
using
upstream
packages,
you
know
each
of
them
comes
with
their
own
licensing
regime
and
whatnot.
So
how
does
the
project
know
like?
What
is
the
software
build
of
materials?
Looking
like
and
and
more
importantly
right?
C
Our
community
needs
to
trust
our
code
base,
so
it's
critical
that
we
provide
that
transparency.
So
how
can
we
do
it
in
a
more
transparent
manner
right?
So
we
put
some
projects
initially
like
we
started
like
a
better
process
like
this
product.
Isn't
ga,
yet
that's
why
I
call
it
better.
So
we
started
building
the
first
vendor
we
partnered
with
was
called
snick
sneak
dot
io,
but
very
shortly
we
have
other
vendors
in
the
ecosystem,
who
are
partnering
with
us
into
this.
You
know
a
common
solution
right.
C
We
scanned
10,
000
plus
repositories.
We
found
you
know
almost
a
quarter
million
vulnerabilities
and
a
lot
of
these
vulnerabilities,
like
you
know,
had
easy
recommended
fixes.
You
know
those
fixes
could
be
in
like
hey
upgrade
this
dependent
library
and
I'm
not
saying
those
vulnerabilities
are
in
the
native
code
base.
Those
vulnerabilities
do
include
your
upstream
packages
that
you're
using
from
other
projects
right
and
we
found
out,
like
you
know,
even
without
using
our
reports,
a
bunch
of
these
vulnerabilities
have
been
getting
fixed
right,
but
they
have
been
getting
face.
C
Fixed
opaquely,
not
because,
like
somebody
used
a
better
module
or
a
library
upgraded
that
library
version
with
not
security
in
mind,
but
maybe
with
functionality
in
mind,
so
we
are
detecting
these
patterns.
I
will
walk
you
through
the
tools
and
you
know
what
we
have
discovered
so
far,
so
you
know
primary.
You
have
built
it
for
three
stakeholders.
So
if
you
use
most,
you
know
sca
tools,
as
is
right
from
the
vendor
ecosystem,
whether
it's
github
security,
whether
it's
like
snake
on
its
own
or
you
know
you
have
like
white
source.
C
The
countability
lies
with
an
individual
developer.
None
of
these
tools
have
been
able
to
give
us
an
overall
global
view
of
where
that
project
is.
A
project
could
be
made
up
of
multiple
githubs
thousands
of
repos
there's
no
collective
aggregation,
there's
no
collective
reporting,
and
you
know
if
there
is
an
action
to
be
taken.
C
You
know
it's
not
just
one
developer
working
right,
so
can
we
take
collective
action?
So
what
we
did
is
we
started
building
these
views.
Number
one
is
obviously
the
project
maintainers
and
contributors,
and
I
think
the
biggest
benefit
is
like
saving
time
on
the
security
research,
because
the
bugs
we
are
capturing
there
is
a
there.
It
goes
through
a
verification
process.
So
in
this
case
like
we
are
partnering
with
these
sca
companies
and
they
have
bunch
of
research
people
who
are
waiting
that
these
are
actual
bugs.
C
These
are
not
false
positives
and
then,
obviously,
as
you
scale,
you
know,
how
can
you
like
put
multiple
people
working
on
these
fixes
right
before
this,
make
it
through
a
gating
process?
Now,
for
the
governor's
perspective
talking
about
gating,
you
know:
can
we
and
you
know,
focus
on
security,
best
practices
for
day
one
from
the
development?
C
How
can
we
integrate
it
with
the
developer
workflow
right,
like
with
easy
cla?
What
we
had
done
is
like
we
tied
it
to
your
pr
process.
So
you
know
whenever
you
make
a
commit,
or
you
know,
or
you
are
submitting
a
pr
for
up
streaming,
that's
the
point
like
you
know,
gating
happens
or
on
clhx
now.
Can
we
adopt
a
similar
workflow
like
in
terms
of
you
know,
building
some
github
apps.
C
If
you
are
on
github,
you
know
you
could
be
on
other
sources
where
there
is
like
a
gating
process
that
gets
injected
to
make
sure
you
fix
these
bugs
before
the
pr
can
be
merged.
So
there
are
suggestions,
we
don't
have
that
gating
implemented
yet,
but
we
are
working
on
that
creating
badging
right
like
so.
We
had
this
big
initiative
of
cii
core
infrastructure
initiative
from
many
years
back.
It
was
you
know
and
trust,
based
system
where
people
were
submitting
their
projects,
some
best
practices
documents
and
they
were
getting.
C
You
know
passing
failing
in
progress,
gold,
platinum,
silver,
badges
right
and
these
badges
could
be
displayed
on
your
github
repos,
and
then
there
is
the
global
view,
but
can
we
expand
that
beyond
just
best
practices
and
actually
make
it
part
of
the
tool
chain?
So
again,
that's
very
useful
from
what
we
heard
from
as
a
feedback
and
obviously
from
a
governance
perspective.
You
do
care
about
the
proper
licensing,
not
just
in
your
native
code
base,
but
also
like
enter
the
entire
upstream
right
and
obviously
you
know
members
and
corporate
sponsors.
C
They
essentially
are
giving
them
money
to.
You
know,
sustain
these
projects
and
for
them
you
know
it's
important
that
they
protect.
You
know
their
investments
against.
You
know
the
risk
of
security
vulnerabilities.
They
quickly
identify
which
packages
are
enterprise
ready,
which
are
still
not
so
earlier.
When
I
was
talking
with
some
members
of
the
toc,
there
were
thoughts
around
like
hey.
Can
we
make
it
part
of
our
graduation
process
right?
How
does
an
enterprise
know
whether
this
is
like
ready
or
not?
Right
and
again,
it
all
comes
down
to
the
circle
of
trust.
G
C
So
there
are
some
features:
I'll
actually
walk
you
through
the
tool,
but
in
terms
of
the
features
we
have
a
centralized
dashboard
for
every
project
and
then
we
also
have
aggregation
views
built
across
for
project
groups.
So
you
can
look
at
kubernetes
on
its
own,
but
you
can
also
look
at
cncf
holistically
across
thousands
of
repos
right.
C
We
have
automated
vulnerability
scanning.
These
cans
done
on
a
daily
basis,
a
lot
of
evidences
like
when
the
bugs
are
logged,
or
these
issues
are
locked.
There
are
evidences
that
are
attached.
These
evidences
could
be
a
github
commit,
it
could
be
a
security
advisory.
We
have
integration
with
the
national
vulnerability
database,
so
if
you're
tagging
it
with
the
mid-tray
database,
I
don't
know
how
it's
actually
pronounced,
but
you
know
if
you're
looking
at
cves
and
cwes
that
are
already
logged
and
indexed
in
the
national
nvd.
C
C
Now
these
are
recommendations
you
have
to
take
it
with
a
grain
of
salt,
because
you
know
these
are
like
recommendations
that
we
found
other
people.
You
know
issuing
a
pr
to
fix
a
vulnerability,
but
you
do
have
to
analyze
before
you
go
ahead
and
just
you
know
implement
it.
So
the
owners
lies
with
the
maintainers
of
the
project
or
the
contributors
of
the
project
right.
We
also
have
a
license
discovery
and
for
every
module
that
you
are
using
as
well
as
your
upstream.
C
We've
also
started
plotting
releases,
so
you
know
like
for
every
repo
and
again
this
is
again
based
on
github,
versioning
and
whatnot,
but
you
know
if
there
is
a
visual
correlation
that
we
can
establish
like
saying:
hey
this
big
release
happened
and
with
those
you
know,
your
defect,
injection
rates
went
up
or
down
or
whatever,
but
net
net.
We
are
trying
to
build
a
system
which
is
neutral
to
any
source
control
system.
C
So
whether
you
are
on
github
today,
whether
you
move
to
get
lab
tomorrow,
you
are
playing
gate,
we
don't
don't
really
care
right.
We
we
want
to
build
an
agnostic
platform,
okay,
so
I'll
jump
right
into
the
demo
and
then
I'll
also
walk
you
through,
like
what's
planned
from
a
road
map
perspective
right.
So
here's
how
you
access
this
tool.
So
there
is
a
you
know.
If
you
go
to
lfx.dev,
you
will
go
and
you
know
you'll
find
all
these
tools,
but
we
have
a
menu
where
you
can
see.
This
is
security.
C
So
if
you
just
say
security.lfx
or
security.lfx.linuxfoundation.org
you
get
to
this
console,
so
this
is
the
global
reporting
console
and
what
we
have
done
is
we
have
aggregated
projects
under
project
groups
so
in
I'll
walk
you
directly
into
cloud
native
computing,
and
you
can
see
like
these-
are
all
linux
foundation
projects
right
and
we
have
400
of
them.
So
if
you
go
to
these
projects,
we
have
created
these
aggregations.
Now
again,
these
are
from
reporting
perspective.
You
can
also
see
there
are
projects
which
you
know
we
were
not
able
to
scan
fully.
C
C
Now
when
we
partnered
with
snake,
they
we
know
like
they
have
some
limitations
and
that's
why
we
are
expanding
the
partnership
to
other
vendors
as
well
to
get
like
100
coverage,
but
there
are
certain
languages
like
c
c
plus,
plus
that
they
don't
have
support
for
yet
right.
So
we're
looking
at
other
ways
to
you
know,
get
that
support.
C
You
know
these
are
not
like
github
issues
but
think
about
them
as
like
bugs
of
the
half
of
almost
like
half
of
them,
you
can
see
here
are
actually
fixable
and
when
I
say
fixable,
these
are
like
quick,
easy
fixes
right
without
doing
like
massive
code
chain.
This
could
be
library,
upgrades
and
whatnot,
and
we
found
quite
a
few
upstream
dependencies
and
about
like
you,
know,
1500
licenses.
Now
again,
these
are
across
projects.
C
Now
each
project
has
a
project
card,
so
let's
say
I
jump
into
something
like
kubernetes
right
now
again
we
haven't
been
scanning
this
for
a
long
time,
so
you
can
go
and
look
into
like
a
time
range
right
like
a
relative
time
range
and
what
what
not
so,
I'm
just
gonna
walk
you
through
here,
so
you
can
see
here
like
these
are
like
you
know.
These
are
indexed
like
in
terms
of
severity,
high,
medium
or
low,
and
that
cbrt
is
determined
by
a
cvss
score
I'll
get
into
the
details.
C
If
you
guys
are
interested,
but
along
with
that,
we
also
start
plotting
the
what
you
know
releases
now.
This
is
a
little
tricky
one,
because
the
project
might
might
be
doing
one
big
release.
There
are
some
projects
that
follow
that
waterfall
model,
but
many
of
these
versions
are
simply
based
on
repos
right,
so
all
your
major
repos
might
have
their
own
versioning.
C
Now
this
is
may
not
be
actionable
data
but
at
least,
if
you're
trying
to
look
and
filter
for
a
particular
repo-
and
you
see
like
a
big
spike
happen
when
a
particular
release
was
cut.
It
at
least
give
you
some
visual
correlation.
We
are
also
scanning
all
the
license.
All
the
languages,
and
you
know
on
the
code
base,
like
you
know,
for
that
particular
project.
Let's
say
you
know
you
are
doing
like
700
repos.
What
is
your
language
distribution
right,
but
more,
interestingly,
are
the
issues.
C
So
issues
are
where
we
have.
You
know
you
know
collected
all
these
vulnerabilities
and
obviously
you
can
break
them
down
by
individual
repos
and
I'm
gonna
bring
up
a
couple
of
examples
here.
So
this
one
here
cloud
provider,
azure,
I'm
not
picking
on
anyone,
but
just
as
an
example
right,
let's
say
I
view
these
details.
C
I
can
see
you
know.
Each
of
this
is
a
bug
and
it
has
a
type
you
know,
and
you
can
see
the
indicator
like
some
of
them
have
a
weakness,
enumeration
number
which
is
coming
out
of
the
nvd.
Some
of
them
are
actually
a
vulnerability
as
well
so
and
then
you
know
you
can
find
out
if
this
is
fixable
or
not.
So,
let's,
let's
expand
one
of
them.
So
this
is
an
arbitrary
file
override
and
because
we
are
integrating
with
snake.
C
C
Yes,
you
can
essentially
see
there
was
a
github
commit
which
actually
identified
this
or,
if
you're
looking
at
like.
Was
there
a
security
advisory
for
this
one
and
again
this
is
for
the
upstream
package
now,
in
this
case
the
remediation
might
be
something
as
simple
as
you
know,
you
know
upgrading.
So
if
you
upgrade
the
stream
from
version
to
version
1.0.12
or
higher,
this
vulnerability
is
addressed
already
right.
So
this
is
the
simplest
of
simplest
fixes
right.
So
we
are
providing
that
now
you
can
create
a
github
issue.
C
You
can
click
click
this
one
and
it
will
create
a
github
issue
for
you.
Obviously,
you
have
to
authenticate
with
your
github
credentials,
but
then
you
can
essentially
create
a
backlog
right,
it's
not
in
the
system,
but
it's
in
integrated
there
short
term
in
our
roadmap.
We
are
also
going
to
introduce
a
button
which
says,
fix
this
issue
and
it
will
auto
generate
a
pr
for
you.
C
So
but
again,
as
I
said,
it's
you
have
to
take
it
with
the
grain
of
salt
because
you
might
not
want
the
system
to
automatically
generate
the
pr
code.
You
might
want
to
do
it
yourself,
but
we
are
giving
that
option
right
if
it
makes
life
easier
for
for
the
developers.
So
I'm
not
going
to
walk
through
all
of
these
issues.
You
know
I'll
tell
you
how
to
get
access
so
that
you
know
you
can
investigate
a
lot
of
those,
but
I'm
just
going
to
pick
up
another
one,
which
is
looks
a
little
different.
C
Let
me
go
ahead
and
minimize
this
and
let
me
look
at
like
another
module
here,
cluster
registry.
Let's
look
at
what
does
that
have
and
this
one
is
like
cross-site
scripting,
and
these
are
like
again
fixable
now
here
you
can
see,
there
are
references
there
are
and
number
of
blogs
that
reference.
This
issue
and
number
of
github
commits
github
issues
and
there's
even
a
github
pr,
and
when
you
start
looking
into
you
know
the
cv
associated.
C
This
is
actually
an
already
indexed
bug
in
the
national
vulnerability
database
right,
so
they
actually
have
all
these
references.
They
have
like
steps
how
to
reproduce
it.
You
also
have
again.
This
is
the
mid-trade
database
as
we
know
it.
They
also
have
the
weakness
enumeration
before
this
became
a
vulnerability.
C
So
you
have
like
pretty
much
all
the
details
that
can
be
helpful
in
terms
of
how
to
resolve
this.
Okay,
so
moving
on,
like
from
a
dependency
stack
perspective
like
how
is
the
sausage
made
in
the
sausage
factory,
so
what
we
have
here
is
essentially
this
is
your
entire
app
dependency
tree
for
every
package,
so
you
can
look
at
this
is
like
distributed
package
by
package
and
you
can
look
into
your
upstream
as
well
and
some
of
them
you
will.
You
know
you
identify.
C
C
It's
kind
of
a
rule-based
engine
like
if
you're
saying
hey,
if
you
detect
a
particular
license
type-
and
you
know
you're
not
supposed
to
use
it
in
terms
of
your
application
architecture,
then
flag
it
or
create
an
issue
right
and
finally,
if
you
look
at
a
settings
tab
here
many
times,
you
know,
when
you
try
to
weed
out
false
positive,
there
could
be
dev
dependencies.
You
know
like
I.
C
Thank
you
not
for
injecting
that
yeah,
so
like
dev
dependencies
are
key
right,
like
you're,
always
worried
about
false
positive.
But
maybe
you
know
if
it
is
a
production
system,
you
don't
want
to
scan
their
dependencies,
maybe
eliminate,
like
you
know,
unit
test
tools
or
whatever,
so
we
give
these
flags,
but
again,
these
flags
should
be
maintained
by
probably
a
group
like
you
right
like
which
is
the
sig
like
you
know
who
are
setting
these
best
practices?
Okay
and
then
you
can
also
selectively,
say:
hey!
C
You
know
what
this
this
repo
is
archived,
let's
not
scan
it
anymore,
so
you
can
design
these
best
practices
in
some
cases
you
can
see
here.
We
have,
you
know
errors
that
we
are
not
able
to
scan.
So
you
can
see
here,
like
you
know,
we
could
not
find
for
this
repo,
it
might
be
using
some
language
and
we
are
not
able
to
scan
it
because
we
don't
support
it
yet,
okay,
now
this
is
what
we
have
built
so
far.
I'm
gonna
quickly
show
you
a
little
bit
more
that
we
are
working.
C
We
are
adding
a
net
new
functionality
for
code
secret
scanning,
but
how
do
you
get
access?
That's
the
first
thing
right
so
generally
for
everyone
in
the
community,
who
is
a
contributor
who
is
a
maintainer,
is
part
of
our
technical
committee
or
like
some
kind
of
a
governance
body.
If
you
go
to
projects
and
like
I
have
super
admin,
so
I
have
access,
you'll,
see
a
request,
access
button
and
it
just
pops
you
a
simple
form
saying
like
okay,
I'm
maintainer
of
such
and
such
project.
C
You
know,
give
me
access
right
and
we
open
it
up.
However,
you
know
we
don't
want
to
throw
it
open
for
the
entire
internet
right.
So
that's
why
we
have
this
now,
I'm
flexible
on
this
policy.
If
you
guys
tell
me
like
hey
open
it
up
for
the
entire
community,
we
could
go
that
way,
but
I'm
going
to
leave
that
decision
on
you,
okay,
so
going
back
to
my
deck
here,.
C
So
I
showed
you
what
we
have
right
now
running
in
production
and
in
this
year,
as
I
talked
about
like
an
automatic
pr
creation
process,
we
are
working
on
that.
We
are
already
working
on
a
code
secret
scanning.
In
this
case
we
are
actually
partnering
with
another
vendor.
Where
you
know
we
can
detect
some
code
secrets
and
I
have
a
simple
report.
I
might
want
to
be
able
to
pull
that
up
some
things
we
have
detected
again.
C
The
key
there
is
to
weed
out
false
positives,
because
you
know
if
you
have
a
dev
system
or
if
you're,
putting
in
aws
keys
or
your
pem
files
in
there.
You
know
you
know
you
don't
want
to
be
exposed
many
times
coding
wise
when
somebody
is
developing
it
and
putting
it
in
a
build
system,
they
might
use
a
a
key
and,
with
the
assumption
that
they're
going
to
take
it
out
when
it
actually
is
the
master
commit
or
it
goes
into
like
you
know,
running
in
production,
but
git
keeps
your
history
for
sure
right.
C
Anybody
who
is
scanning
to
the
gate
will
be
able
to
find
your
secrets
and
there
are
different
best
practices
around
that,
but
like
h1,
we
are
also
looking
at
creating
this
comprehensive
security
badging.
We
have
cii
today,
but
we
are
trying
to
create
a
security
index
and
tied
to
a
digital
badge
in
h2
we
are
looking
at
enabling,
like
builds
custom
scans
as
well
as
container
scanning,
and
this
software
bill
of
materials
and
policy
management
I
already
talked
about
which
is
around
the
licensing,
and
you
know:
how
do
you
define
those
policies?
C
One
thing
we
don't
have
today
is
cc
plus,
so
this
is
definitely
a
road
map
item
for
us
and
we
have
a
stretch,
goal
of
static
code
analysis
this
year,
not
sure
whether
we
will
be
able
to
make
it.
But
you
know
I'm
challenging
my
engineering
team
to
work
on
this.
Okay,
so
I'll
open
it
up
to
questions,
but
I
do
want
to
share
one
report.
C
I
would
not
be
able
to
send
you
the
link,
I'm
going
to
send
you
a
snapshot.
So
this
is
around
code
secrets,
so
we
are
actually
analyzing
whatever
we
have
discovered.
You
know
we'll
put
a
ui
on
it,
you
know
put
it
into
the
security
interface,
but
some
of
these
we
discovered
I
wanted
to
give
you
a
heads
up
like
we
found
everything
from
you
know
api
secrets
in
some
files.
Again
you
know
these
ones
now
these
might
be
false
positives,
but
there
are
other
projects
we
looked
at.
C
Where
you
know
passwords
are
set
up
in
environment
files.
There
are
private
keys
that
are
like
actually
committed
to
github.
You
know,
instead
of
using
some
kind
of
a
key
manager,
you
know,
let's
assume
like
walt
or
whatever
people
are
dropping
these
right.
Now
it's
multiple
risk.
One
is
like
you
know.
In
some
cases
we
found
hundreds
of
contributors
dropping
their.
C
You
know
keys
in
there
and
again
those
users
accounts
are
at
risk
and
again,
but
if
you
use
a
proper
key
management
system-
or
there
are,
you
know
certain
things
like
cryptographic,
key
bundles.
We
have
found
evidences
of
primarily
a
lot
of
secrets
and
keys
in
packet
capture
files
like
pcapp
files
right,
even
somebody
replace
it.
You
can
easily
find
that
out.
There
are
keys,
like
you
know,
does
the
jks
keys
found
in
the
repository
itself.
There
are,
like
you
know,
password
assignments
in
json
files.
C
So
a
lot
of
these,
we
are
doing
a
fact
check
working
with
these
projects,
one
by
one
to
identify
like
yeah.
These
are
indeed
issues
and
you
should
be
fixing
them
and
trying
to
weed
out
false
positive
many
times
you
know
you'll
have
like
hey.
This
is
a
markdown
file
and
you
know
you
have
a
key
floating
out
there.
Just
as
an
example,
you
can't
do
much
about
it.
It's
just
an
example
right
and
that's
not
a
real
one.
C
So
we
are
trying
to
go
through
this
list
and
once
we
come
up
with
like
this
actual
solution,
it
will
in
the
same
interface
we
will
think
about
like
in
the
same
interface.
You
will
probably
have
like
another
one
here
called
code
secrets
and
will
automatically
discover
all
the
secrets
for
you.
Okay
and
then
you
it's
up
to
you
to
you,
know
identify
what
are.
These
are
like
false
positives,
but
we
are
trying
to
design
a
regex
based
pattern
where
you
can
say:
okay.
C
This
is
kind
of
a
pattern
on
the
regex
and
the
rejects
could
be
your
hash
commit
sorry,
your
commit
hash
and
you
can
say:
okay,
anything
with
this
commit
hash.
Just
you
know
ignore
it.
For
now,
this
is
maybe
not
a
false
positive
right.
So
anyway,
that
was
pretty
much
it
I'll
open
it
up
to
questions
and
more
feedback.
H
I
think,
as
a
big
tool,
it
looks
great.
I
don't
know
if
you're
keeping
an
eye
on
the
sidebar
chat,
I
think
for
for
those
of
us
who've
who
have
sort
of
run
these
scans
before
and
gave
them
to
developers
and
said
merry
christmas.
The
interesting
part
is
how
do
you
and
I
understand
we're
talking
about
tools,
but
then
the
next
step
here,
I
think,
is
how
do
we
help
those
developers
actually
understand
those
results
that
we
just
threw
at
them
and
and
help
them
actually
process
and
fix?
H
C
Yeah,
so
I
think
that's,
that's.
That's
actually
a
good
question,
so
yeah
there
are
bugs,
but
what
we
are
also
trying
to
do
is
like
we
had
this
big
initiative.
We
started
at
harvard
called
the
lish
lish
initiative,
where
we
invited
all
these
sca
vendors
and
we
are
actually
hiring
like
we
actually
hired
a
security
expert
ourselves.
His
name
is
david
wheeler
he's
a
director
of
security
for
open
source
and
he's
providing
services
across
multiple
projects.
C
He's
also
involved
very
closely
in
the
cii
initiative,
as
well
as
the
you
know,
open
ssf
project
framework.
Now
what
we're
trying
to
do
is
like,
obviously
it
can't
be
just
written
by
one
person,
so
there
are
like
evidences
that
you
can
find
like
what
those
bugs
are
and
what
not.
But
in
terms
of
like
setting
up
best
practices,
we
are
trying
to
create
at
least
a
pool
of
subject
matter.
C
Experts
who
can
provide
these
guidelines,
but
also
what
we
are
trying
to
do
is
if
the
projects
can
introduce
the
best
practices
themselves
early
in
the
tool
chain.
Saying
hey,
you
know
what
let's
make
it
part
of
a
graduation
criteria
like
when
I
say
graduation
criteria.
Maybe
you
know
it
doesn't
go
from
sandbox
to
incubating
unless
you
know
you
are
like,
particularly
at
this
level
of
you
know,
vulnerability,
cleanness,
not
sure
whether
that
answers
your
question.
C
H
I
think
I
think
sort
of
I'm
trying
to
give
others
a
chance
to
chime
in.
I
think
what
I
was
talking
about
more
is
not
so
much.
I
mean
what
you
said
makes
sense
again
end
to
end,
but
I
don't
know:
let's
pick
you
know
you
had
steph
in
there.
Let's
use
this
example,
you
suddenly
sent
them.
You
know
50
or
60
issues
they
didn't
have
their
own.
They
might
red
hat.
Might
red
hat
miner
that
organization
might,
but
how
otherwise
do
they
deal
with
suddenly
going
okay?
Well,
what
do
I
do?
H
Am
I
using
the
right
type
of
sha
checks
on
this
example?
How
did
those
end
orgs?
How
do
we
help
those
and
orgs
do
that?
I
mean
yes.
I
saw
this.
I
saw
this
sort
of
to
give
another
example
back
at
cloud
stack
days.
I
brought
it
to
fortify,
we
had
them
run
sca
scans.
We
had
the
results
you
get
from
the
to
the
team
and
they're
like
so,
and
that
that's
where
my
thinking
is
coming
from.
C
It
got
it,
no,
no,
that's
excellent!
So
today
we
don't
have
a
hybrid
way
of,
like
you
know,
behind
the
firewall
connecting
it
and
a
lot
of
these
enterprises
or
end
users
use,
you
know,
run
their
own
security
scans.
So
one
thing
I'm
looking
at
is
like
you
know
we
might
be
able
to
expose
apis
now,
where
you
know
they
could
either
use
this
data
like
they
can
pull
this
data
downstream.
F
So
I
have
a
thanks
for
a
great
presentation.
Shibra
also.
I
just
want
to
try
to
understand
the
scope,
so
this
this
is
a
I
mean:
what
is
the
the
availability
and
the
consumption?
How
do
you
is
this
purpose
built
for
the
linux
foundation
and
obviously
it's
got
a
lot
of
the
those
projects
and
and
and
all
the
associated
projects
you
know,
but
what
is
the?
How
do
you
get
more
adopters
where
what
is
that
framework
like.
C
C
C
If
you
wanted
to
bring
in
a
project
which
is
not
under
the
linux
foundation-
and
you
know
you
say:
okay,
hey
secure
my
app
and
you
know
you
have
like
this
thing,
like
okay
sign
up
and
then,
when
you're
signing
up
your
project,
you
know
you
give
the
project
name
a
category,
an
elevator
page.
Why
should
we
be
scanning
it?
You
provide
us
the
repos.
C
Now
this
could
be
a
repo
url,
it
could
be
an
org
url
and
you
know
if
you
have
a
cii
id,
we
want
to
encourage
those
best
practices
and
who
would
be
the
key
contributors
who
need
access
to
this
data.
So
if
we
get
a
request,
it
puts
stuff
in
our
queue,
and
at
that
point
we
we
take
a
call
because
from
a
operational
standpoint
my
team
does,
you
know,
take
the
infrastructure
call.
C
We
are
eating
it
as
part
of
the
linux
foundation
global
effort,
but
I
think
we
are
open
right
as
long
as
you
know,
that's
not
a
project
that
you
know
just
some
enterprise
is
trying
to
bypass
like
you
know
their
security
spend.
You
know
we
are
not
a
tool
provider
end
of
the
day
right,
and
so
we
are
open
to.
C
You
know
on
board
projects
which
need
this,
and
you
know
they
are
not
able
to
you
know
they
don't
have
the
either
the
budgets
or
you
know
they
are
more
aligned
with
like
the
open
source
ecosystem.
They
may
not
yet
be
part
of
the
linux
foundation,
but
yeah
we
are
open
to
offering
it
I'm
just
being
watchful
of
the
cost
element
in
this.
C
You
know
you
can
basically
get
your
profile.
Every
developer
contributor
needs
to
have
a
profile
that
manages
the
access
control,
so
we
have
tightly
integrated
it
but
yeah.
It
is
pretty
much
at
this
point.
You
know
tailored
for
linux
foundation
projects,
but
we
are
open
right
like
technically.
It's
absolutely
doable
it's
more
of
a
governance
and
business
question.
If
you
ask
me
that
way,.
A
I
wanted
to
bring
up,
we
have
about
20
minutes,
left
in
a
couple
more
presentations
and
a
ticket
to
bring
up
shubert.
I
wanted
to
thank
you
for
this
and
b.
I
wanted
to
ask
if
there
was
a
way
that
people
could
address
additional
questions,
your
way
like
an
email
link
or
if
we
should
open
a
ticket
in
our
github
page.
I
can
issue
there,
and
people
can
post
there
for
q
a
yeah.
What's.
C
Yeah,
so
we
have
I
yeah,
so
we
have
a
support
channel.
This
is
essentially
a
jira
jira
desk
for
us
services.
For
us
we
have
a
questions
forum
as
well,
and
you
have
my
email.
It's
just
s-k-a-r
at
linuxfoundation.org
I'll
be
more
than
happy.
If
you
send
me
questions
directly
on
that
channel-
and
you
know
all
these
dev
questions
and
support
questions
like
you
know,
these
are
just
jira
tickets.
C
B
I
just
want
to
kind
of
quickly
mention
one
point.
I
think
that
we
should
follow
up
on
from
you
sick
security
perspective.
When
I
saw
this,
the
first
thing
I
thought
about
was
you
know
the
security
evaluations
and
the
cncf
toc
process.
I
think
this
is
something
we
we
should
definitely
sync
up
on
and
maybe
somehow
we
can
get
access
for.
Maybe
the
co-chairs
and
technical
leads
for
six
security.
B
B
C
C
I
would
like
to
definitely
participate,
and
you
know,
bring
my
input
from
a
road
map
perspective
or
from
an
engineering
perspective
and
we'll
also
share
up
front,
like
you
know,
as
we
are
starting
to
design
those
we'll
be
pretty
transparent,
right,
we'll
be
openly
sharing
how
we
are
designing
it,
how
the
architecture
works,
so
yeah
feel
free.
If
you
want
to
invite
us
to
one
of
those,
you
know
discussions
more
than
willing
to
join.
D
This
is
such
a
value
for
any
project
coming
in
it
should
be
marketed.
As
such,
I
mean
I
had
no
idea
about
like
if
there
was
a
cliff
note
of
some
sort
that
any
project
coming
in
this
should
be
a
selling
point
for
the
cncf
for
for
projects
like
this
is
so
much
work
that
you
all
put
into
it
and
all
of
that
and
the
various
tiers
that
are
there
and
I'm
sorry
matthew
for
bogarting
a
meeting,
but
just
like
it's.
This
is
fantastic,
fantastic
presentation.
A
What
I'm
gonna
do,
then,
is
quickly
go
through
what
we
have
on
our
list
for
today
and
if
anything
runs
over
it's
just
a
few
minutes,
we'll
keep
it
going.
If
it's
it's
gonna
be
significantly
longer,
then
we
may
have
to
shelve
it
so
I'll,
try
and
push
through
as
quickly
as
I
can
all
right.
So
the
next
thing
I
have
up
here
is
from
pushkar
and
if
I
ever
mispronounce
anyone's
name,
please
feel
free
to
chime
in
and
correct
me
there
and
then
on
github
issue.
Number
four:
eight
zero
push
card.
E
E
We
have
had
some
good
feedback
over
the
holidays
and
now
that
I'm
back,
I
wanted
to
start
that
process
again.
So
basically,
we
have
a
meeting
set
up
for
it
as
a
starter
meeting
on
a
week
from
now
nine
o'clock
pacific,
just
before
the
security
landscape,
slash
geography
meeting
and
before
our
usual
security
meeting.
So
that's
set
up
to
discuss
more
on
what
needs
to
be
done.
Discuss
some
of
the
comments
we
have.
E
A
G
Sure,
hi
guys
this
will
be
really
short.
I
just
wanted
to
give
you
heads
up
about
a
couple
of
nist
things
that
are
ongoing
in
the
last
week
or
so
one
is
the
dev
secops
and
zero
trust
architecture
presentation.
There
was
a
fee
to
join
this
15
bucks
u.s,
some
really
good
content.
There
represented
some
of
the
air
force,
devsecops
frameworks,
but
some
new
stuff.
G
I
was
not
aware
of
on
next
generation
access
micro
segmentation,
different
flavor
of
that,
but
nist
is
pushing
pretty
hard
on
a
new
way
of
looking
at
service
mesh
as
a
way
of
kind
of
reframing
the
access
problem
in
a
way
that's
more
scalable,
so
that
was
that
was
pretty
interesting
and
yeah.
I
think
you
can
probably
grab
the
artifacts.
B
G
That,
without
having
to
do
the
whole
replay,
also
today
they're
running
the
second
day
of
their
workshop
on
austral,
I'm
not
too
knowledgeable
about
that,
but
there's
some
those
of
us
in
the
compliance
industries.
If
you
want
to
call
them
that
that's
of
some
use
to
us,
because
we
gotta
produce
documentation
about
our
security
plans
and
there's
an
attempt
to
automate
some
of
that.
That's
going
on,
there's
a
link
to
both
of
those
in
the
scribe
section
of
the
notes.
That's
it.
A
G
A
H
Just
wanna
give
a
quick
update,
so
a
few
of
us
responded
out
to
the
sig.
I
keep
screening
up
their
name,
sig
application
group.
So
excuse
me:
sick,
app,
delivery
to
help
them
with
their
white
paper
for
operators,
so
we're
starting
to
help
them
with
that.
I
think
cameron
and
I
are
in
there
hopefully
we'll
go,
get
one
or
two
more.
We
got
about
six
weeks
to
rough
in
the
some
of
the
concepts
for
that
and
we'll
keep
chewing
on
that.
B
A
C
C
So
one
of
the
goals
is
actually
automate
on
top
of
spdx
as
a
minimal,
viable
product,
but
we'll
be
also
open
to
like
if
there
are
other
standards
that
come
around,
but
we
are
initial
mvp.
We
are
trying
to
do
with
this
pdx
and
like
even
if
you
look
at
some
of
those
license
files
that
we
detect
in
our
security
tool.
Those
are
all
actually
linking
back
to
the
spdx
references.
G
A
That's
right
would
those
eventually
break
down
in
granularities
so
that
maybe
you
have
one
or
two
for
like
a
better
term
reportees
or
lieutenants
or,
however,
you
want
to
put
it
per
project
like
let's
say
non-ideal
use
case,
angry
sysadmin
sort
of
thing,
and
maybe
a
company
is
still
reputable,
but
an
individual
bad
faith
actor
that,
fortunately
no
longer
has
access
to
that
embarrassed
them
or
did
something
they
shouldn't
is.
Does
the
road
map
have
something
sort
of
along
the
lines
of
this?
A
C
Not
at
that
level
of
detail,
we
definitely
have
thought
about
projects.
Yes,
lambda.
We
already
have
that
structure.
We
are
looking
at
like
contributing
organization
or
a
contributing
individual,
but
we
haven't
like
broken
down
the
rules.
As
you
mentioned,
like
you
know,
this
person
has
left
the
company
or,
like
you
know,
they
are
kind
of
a
rogue
player.
So
we
don't
have
those
details
yet,
but
we
have
looked
at
like
an
individual,
a
company
and
a
project.
Those
are
the
three
structures
we
are
thinking
of
from
a
badging
perspective,.
C
Yeah,
so
if
we
have
a
one
minute,
I
want
to
show
you
a
little
bit
something
here.
So
if
you
look
at
security
or
like,
even
if
you
look
at
insights,
this
is
another
one.
I
should
ask
you
guys
to
check
out,
because
we
are
collecting
all
the
developer
contributions
and
if
I
have
to
just
pick
any
random
project
here.
This
is
a
finger
academy.
Software,
I'm
just
gonna,
pick
up
this
one,
I'm
probably
not
a
common
one.
It's
not
a
good
one.
Let
me
pick
up
this
kubernetes.
C
This
is
where
we
are
looking
to
also
not
just
at
the
repo
level,
but
also
at
the
individual
profile
level
like
pull
those
badges
now,
the
projects
badges
will
be
obviously
within
github
right,
as
well
as
on
this
reporting
console,
but
we
are
trying
to
tie
that
digital
badge
for
an
individual
in
terms
of
like
a
security
index
badge
think
about
it.
That
way,
right
just
to
give
you
the
concept
of
how
we
are
looking
at
this.
D
Again,
something
that
could
be
marketed
right,
hey,
wow!
I
am
a
certified.
You
know
secure
developer
on
the
you
know,
I'm
sorry,
I'm
just
I'm
not
thinking
with
like
a
sales
habit,
I'm
thinking
in
general,
it's
like
a
total
good
way
to
have
people,
get
involvement,
understand
and
all
that
fun
stuff.
That's
it's
really
cool.
A
Are
these
certifications
in
their?
I
guess:
do
they
all
come
from
a
single
training
or
authorization
entity
like
could
people
throw
in
stuff
from
say
linux,
academy,
cloud
guru
or
even
throwing
something
like
if
they
have
a
png
or
rpe,
designation
or
stuff,
like
that?
What's
the
sort
of
source
of
truth
for
these
values.
C
C
This
is
all
tied
to
identity
by
the
way,
so
this
actually
has
come
up
like
because
we
built
this
entire
thing
as
a
linux
foundation,
global
identity,
but
for
us
to
go
and
reach
out
to
badging
from
let's
say,
oracle,
red
hat-
or
maybe
you
know
not
a
corporate,
but
like
a
organization,
that's
providing.
We
need
a
distributed
identity
system
and
oauth
2,
which
is
the
original
implementation
like.
There
is
management
overhead
and
not
everybody,
you
know
is
too
friendly
if
they
were
over
too
fed
friendly.
C
You
know
we
can
we
have
federation
capabilities
where
we
can
integrate
and
pull
those
badges,
because
you
need
to
tie
it
back
to
an
id
right
now.
There's
a
larger
conversation
happening
where
you
know
there
is
a
distributed
identity
project
based
on,
like
think
about,
like
blockchain
technologies
like
indie,
where
you
know
if
you
are
to
implement
that
distributed
framework
and
everybody
else
like
it's
a
specification
and
everybody
else
does
the
implementation
in
that
framework,
then
you
know
we
can
neutrally
pull
this
together
right.
C
I
think
the
neutrality
is
key
here,
because
we
don't
want
one
company
in
this
in
the
space
to
provide
like
manage
what
the
global
identity
is.
Linux
foundation,
interestingly,
is
in
the
unique
space
of
that
neutral
body.
So
this
is
actually
we
are
getting
some
requirements,
even
globally,
even
from
the
government
to
start
working
on
something
around
our
distributed:
identity
model,
but
short
term.
If
they
are
on
oauth
2,
I
think
we
have
the
federation
capabilities
to
pull
that
in
we
just
haven't
marketed
it
enough.