►
Description
Meeting notes: https://docs.google.com/document/d/1ttqkcYPmYZyqvtkaHs92bx2UeVUiXDhuzP-0WbP11Fw/edit#heading=h.7o2ubzl5z39r
A
A
B
B
Yeah
I,
you
know
maybe
next.
A
Year,
please
do
please
do
I
will
note
that
I
added
some
notes
to
the
best
working
group
discussion
here
so
I
saw.
B
We
are
compiling
if
anyone
has
any
topics
that
aren't
currently
on
the
agenda.
Please
add
those
to
the
open
section.
I
have
a
link
to
the
agenda
in
our
Zoom
chat.
It
is
also
pinned
at
the
top
of
our
slack
Channel.
A
A
There's
a
lot
of
people
that
you
know
you
never
have
a
chance
to
talk
to,
and
and
except
for
this
conference,
so
I'm
gonna,
try
to
I'll
do
as
much
of
that.
As
my
body
will.
Let
me
awesome.
B
C
D
Hey
folks,
I'm
Ola,
Dewberry
I
hail
from
VMware
and
yeah
I'm,
really
just
here
to
listen
and
to
learn.
We're
working,
I
work
in
an
incubation
lab
in
the
office
of
the
CTO
and
yeah
just
looking
to
get
familiar
with
the
community
and
what's
going
on
awesome.
E
New
today
my
name
is
David
alcantar
I
work
at
Microsoft
and
I
am
definitely
here
to
listen,
but
I
also
have
a
very
sudden
proposal
that
I
want
to
make
for
a
project
that
we
are
trying
to
head
up
over
here
at
Microsoft.
That's
something
we're
interested
in
donating
clinical,
donating,
really
collaborating
with
open
ssf
on
so
I
will
speak
to
you
guys
about
that
when
it's
my
turn,
go.
B
Ahead
and
add
that
to
the
open
section,
if
you
would
David
yeah
I,
definitely
have
thanks
all
right
the
most
important
job
on
this
call.
Does
anyone
able
to
assist
us
and
take
notes,
please.
F
Many
hands
make
easy
work
right,
yep.
B
All
right
so
again,
if
there
are
any
opens,
please
add
those
to
the
open
section
of
the
agenda.
Let's
kick
off
with
a
sub
project
updates
I
see
Mr
Wheeler's
been
very
busy,
as
always.
A
Well,
thank
you
yeah,
so
trying
to
keep
people
in
the
loop
of
what's
going
on.
First
of
all,
quick
welcome
to
a
new
maintainer,
Andrew,
fader
I.
Don't
think
he's
on
the
call
today,
but
you
know
I
I'm
doing
too
many
things
and
I'm
still
going
to
leave
this
project,
but
this
is
going
to
bring
some
very,
very
welcome.
A
Help
he's
going
to
be
focusing
on
doing
some
updates
like
moving
us
from
rails
to
six
to
seven
and
that
sort
of
stuff
one
kind
of
nitpicky
thing,
but
just
for
those
of
you
who
are
keeping
score
heroku's
removed
their
free
tier
we
historically,
we,
although
we
pay
for
the
production
site
we've
been
using.
We've
typically
had
two
other
tiers
called
Main
and
staging
we're
dropping
one
of
them,
because
now
we've
got
to
pay
for
each
of
those,
so
pull
requests
and
rationales.
And
such
there
questions.
A
Actually,
we're
I
think
we're
I'm
going
to
try
my
first
step
to
see
if
the
cncf
will
just
keep
paying
for
it.
So
I
want
to
be
kind
to
them,
but
but
yeah
we've
actually
have
had
chats
about
that.
It
probably
wouldn't
make
more
sense
but
I
hate
to
mess
with
things
that
are
working
so.
A
That's
right,
that's
right!
So,
and
the
thing
is
the
rationale:
is
you
know
it's
it's
a
requirement
for
them
for
graduation
and
historically
they
had
a
lot
more
funding
and
you
know,
but
you
know
it
would
make
sense
to
move
over,
but
right
now
I,
don't
in
the
grand
sense
it
doesn't
matter,
because
I
want
to
try
to
minimize
the
cost
of
whoever
is
paying
the
check.
A
B
A
A
It
appreciate
it
yeah,
so
next
up
anything
else
by
before
I
I
was
going
to
move
on,
but
I
shouldn't
before
questions
questions.
A
Okay,
the
all
right,
so
the
next
thing
and
I
have
a
I'm
currently
in
a
hotel
room.
So
I
have
a
was
it's
not
a
desktop
metaphor:
it's
the
airplane.
It's
the
airplane
seat.
Metaphor:
I've
got
this
little
tiny
screen,
I'm
working
with
okay,
so
security
fundamentals
course.
A
I've
actually
had
two
separate
meetings
with
the
SKF
leads.
We've
talked
a
lot
about
how
to
better
integrate
SKF
and
the
fundamentals
quarters
for
those
who
aren't
familiar
the
fundamentals
course
we
work
on
having
a
really
high
quality.
But
you
know
very
simple:
here:
are
the
fundamentals
on
how
to
develop
secure
software
and
we've
emphasized
minimizing
the
amount
of
time
for
developers,
because
a
lot
of
developers
don't
have
a
lot
of
time.
A
One
of
the
decisions
is,
you
know,
lots
of
little
quiz
questions
as
you
go
and
a
little
final
exam
to
see
whether
or
not
you
learn
anything
but
no
Labs
intentionally.
So
SKF
takes
a
different
approach.
Labs,
you
I
think
we
all
agree
that
labs
are
better
for
learning,
but
they
take
a
lot
more
time
and
a
lot
of
people
don't
have
the
time.
So
it
makes
sense
to
have
both,
but
the
SKF
folks
do
of
course
need
you
know
that
kind
of
linking
material.
A
So
it
makes
more
sense
for
them
to
integrate
the
fundamentals
course
in
so
that's
what
they
did,
but
what
they
did
is
they
hand
jammed.
They
took
the
course
and
hand
converted
it
into
SKF
and
that
had
some
I
mean
it
ran,
but
the
problem
is,
we
keep
making
updates
Glenn
and
our
updates
aren't
getting
reflected
as
Jeff
Glenn.
A
Fun
so
I
mean
it
actually
made
sense,
they're
trying
to
get
something
done
to
hurry,
and
and
so
they
got
something
done,
but
the
longer
term
plan
is
they're
going
to
create
a
converter.
I
said
it's
filed,
where's
the
script,
some
kind
of
script,
that's
going
to
read
the
markdown
and
convert
and
that'll.
Let
them
automatically
do
updates
enabling
enabling.
A
Automatic
updates
and
there
and
the
plan
now
they
need
some
information
in
the
markdown
to
point
off
to
say:
hey
right
here,
you
you
could
do
a
lab.
Well,
I,
don't
know
who's.
Putting
in
get
up
actions
that
wasn't
committed
to
I
mean
I
I.
Think
that's
the
obvious
way
to
do
it,
but
that's
up
to
the
SKF
folks
yeah
we're.
A
Yeah,
if
you're
going
to
use
denim,
that's
great
okay,
yeah
I,
guess
you
know
I
just
I,
don't
remember
making
that
I
don't
want
to
commit
them
to
something
unless
they
commit
to
it,
but
basically
that'll
just
do
automatic,
conversions
and
we'll
add
HTML
comments
with
little
markers
in
the
HTML
to
say
Hey.
A
You
know,
there's
a
lab
here
whatever
and
that
way
when
you
know
when
they,
when
they,
when
they
bring
things
in,
they
can
immediately
add
the
links
and
that
sort
of
thing
and
and
think
you
know
if
somebody
else
had
the
same
need,
we
could
do
add,
add
other
information
the
same
way
but
but
that
way
one
source
of
Truth.
A
When
something
gets
updated,
you
know
everybody
can
just
quietly
take
the
update.
No
must
no
fuss
and
and
I
think
that
just
makes
sense.
Let
me
pause
at
that
point,
because
that's
an
integration
issue
between
projects
I
think
it's
just
the
obvious
way
to
do
it
and
I
I.
Think
it
just
kind
of
you
know
it.
It
makes
sense
to
everybody
so
we'll
work
out
the
details
as
we
go,
but
I
mean
as
always
or
HTML
comments.
A
It
won't
matter
for
markdown
and
as
long
as
SKF
can
read
it,
then
all
is
well
and
so
as
careful
decide
what
they
want
and
put
it
in
and
and
all
will
be
awesome.
Okay,
all
right,
I,
don't
see
any
issues
at
least
comments.
So
little
knit
we're
gonna
move
quizzes
from
heading
level.
Three
to
four:
there
are
over
seven
they're
about
75
quiz
sections
in
the
fundamentals
course,
and
that's
not
just
quizzes.
That's
sections.
A
Many
of
them
have
more
than
one
question,
but
the
idea
is
to
help
people
learn
as
you
go
it's
you
know,
instead
of
instead
of
labs,
they're
much
faster,
but
at
least
you
know,
it
keeps
them
off.
The
I
I
read
words,
but
nothing
entered
my
brain
and
there's
some
really
awesome,
really
old
books
that
did
this.
That
I
found
for
this
very
effective
in
so
I
think
it's
a
really
effective
technique.
A
But
this
makes
the
generated
table
of
contents
much
much
easier
to
understand
and
we're
also
going
to
tweak
the
name
so
that
every
section
name
is
unique.
That's
gonna
make
Mark
Donald
happy
well,
that'll,
allow
us
to
add
markdown
link,
check
and
more
importantly,
it'll
mean
that
every
section
will
have
an
obvious,
unique
HTML
anchor.
So
you
can
jump
to
anything
and
that's
that's
important
for
being
able
to
link
between
sections
and
making
sure
we
don't
screw
things
up
I'm
out
for
my
crazy
updates
anything
else.
G
Yeah
well
normally,
it
would
be
way
more
actually,
but
we're
pretty
swamped
with
the
whole
ad
plan,
actually
so,
actually,
no
real
updates
in
the
platform.
But
what
I
can
say
that
it's
actually
running
quite
smoothly
now
for
like
a
good
old
month,
since
we
did
the
SSO
implementation
and
some
other
fixes,
we
see
that
we
have
around
like
one
unique
new
registered
users
or
logins
through
SEO
like
a
GitHub
and
that
type
of
stuff.
So
that's
quite
nice
also
a
lot
of
people
from
the
universities.
Actually.
G
So
that's
also
good,
so
yeah
I
just
wanted
to
share
it's
running
it's
working
and
we
have
around
100
unique
users
who
use
the
security
requirements
or
starting
Labs,
actually
yeah
to
learn
yeah
and
the
other
thing
yeah
we're
really
busy
with
your
Adu
safe,
so
yeah,
not
a
lot
of
updates.
Unfortunately,
for
my
site
in
SKF
at
least.
B
A
Senate
type,
really,
you
know
well
suntype,
has
a
report
and
they
have
all
sorts
of
interesting
analysis
about
scorecards
analys
analysis
about
scorecards,
I,
I
hate
to
Over
The,
quick
summary
is
that
they
they
looked
at
what
projects
have
known
vulnerabilities
and
compared
against
scorecards,
and
they
found
that
indeed,
several
metrics
of
scorecards
was
actually
predictive
and
particular
several
of
its
metrics
were
very
predictive.
A
You'll,
be
unsurprised
things
like
you
know.
You
know
having
peer
reviews
and
pin
dependencies.
Interestingly
enough,
so
basically
it's
measuring
some.
You
know
it's
clearly
measuring
something
things
that
value
more
detailed.
C
report.
E
B
F
Sure
so,
our
section
again
we're
focused
on
collecting
and
curating
the
content,
so
everyone
hopefully
knows
that
the
spreadsheet
we
put
together
to
gather
all
this
information
to
get
a
one
source
of
Truth
is
out
there.
It's
available
I
see
that
there's
been
more
information
added
to
that
spreadsheet.
So
please
asking
everyone
who
knows
of
any
of
these
materials
that
may
be
accessible
and
available.
Please
put
the
information
in
the
spreadsheet.
F
If
you
have
any
questions
about
what
some
of
the
stuff
on
the
spreadsheet
means,
people
to
reach
out
to
myself
or
Crow,
or
anybody
else
in
the
in
section
one
to
talk
about
that
and
we
are
focusing
on
getting
the
plan
the
plan
together
by
the
end
of
this
month.
F
We
are
working
on
a
road
map
milestones
and
objectives,
primarily
for
2023
and
a
little
bit
into
2024,
trying
to
figure
out
what
the
needfuls
are,
what
budgetary
requirements
might
be
included
in
some
of
the
things
that
we
want
to
do
and
how
to
actually
prove
that
we're
being
successful
at
what
it
is
we're
trying
to
accomplish.
So
that
is
also
in
Flight
it's
in
the
the
git
repo.
F
G
Yeah
I
I
just
had
one
question
actually
for
the
Matrix,
because
I
think
we
also
discussed
about
the
open
if
it
was
like
open
data
actually
so
meaning
that
we
actually
can
consume.
It
is
that
the
the
column
e
reusable.
G
Check
all
right,
yes,
okay,
cool
yeah
for
section
two.
We
actually
are
now
I
think
around
60
done
with
the
goals
and
Milestones
we
are
drafting
up
yeah.
G
The
the
section
two
plan
I
also
created
an
issue
because
there
was
actually
also
a
sort
of
overlap
between
the
section
of
us
and
section
one,
and
that
was
about
I,
think
the
translation
Parts
actually
because
I
saw
in
section
1.5,
there
was
a
hey
we're
going
to
hire
to
translate
actually
to
like
five
proper
spoken
languages,
and
we
also
had
in
section
two
something
and
I
think
we
already
discussed
that
as
well.
I,
don't
know
in
the
whole
group
only
in
our
section,
but
that
was
basic
like
hey.
G
Let's
maybe
use
an
automatic
translator
API
to
have
on
the
spot,
translated
to
whatever
language
people
you
know
are
familiar
with
so
I
just
wanted
to
check
here
in
the
in
the
group
yeah
what
we
should
do
in
terms
of
who's
gonna.
Do
it
and
pick
it
up.
B
G
Issue
is
that
I
linked
it.
It
was.
B
So
Glenn,
Dave
and
I
need
to
look
at
that
issue
and
have
an
answer
by
end
of
day.
Please
come
where
we
think
that's
going
to
land
and
get
that
things
moved
appropriately.
A
As
far
as
different
human
languages,
correct
yeah
I
mean,
if
we
don't
mind
having
a
quick
conversation
right
now,
I
mean
I'm
all
for
translation
to
multiple
languages,
but
step
one
is
to
make
sure
that
the
content's
worth
worth
it
so
typically,
I
would
suggest,
try
to
get
things
a
little
more
firmed
up
first
before
because
it's
costly
to
do
translations
and
keep
them
up
to
date.
So.
B
A
Okay,
we're
I,
don't
is
there
I,
don't
have
a
link
to
it
from
the
best
practice
working
group
notes.
A
B
Me
Glenn
has
Glenn,
has
the
issue
and
that's
golf:
that's
32,
so
anyone
that's
welcome,
but
Dave
and
Glenn
and
I
must
look
at
it.
H
H
F
Said
that
I
we're
also
putting
together
a
paper.
A
A
For
it,
but
I'm,
not
all
a
lot
of
I
have
a
tiny
little
screen
and
honestly
is
the
notes
for
today
no
worries.
A
B
B
They're
still
making
progress
in
section
three
went
through
and
I've
adjusted
the
style
of
the
plan
so
that
it's
a
little
more
consistent.
So
we
have
the
Milestones
are
more
clearly
documented
and
I'm,
also
providing
a
placeholder
for
future
issues
to
be
filed
and
linked,
and
that's
let's
talk
about
the
full
Sig.
B
Ideally,
the
plan
is
Target.
I
want
to
have
it
done
by
before
the
end
of
the
month
and
have
the
full
education
Sig
review
it.
Anyone
from
this
working
group
is
welcome
to
join
in
that,
if
they
desire
from
there
we'd
like
to
give
it
to
the
TAC
in
early
December
and
then
the
governing
board
before
the
end
of
the
year.
So
that's
kind
of
the
schedule
working
on
for
the
education
sake
to
get
funding
on
these
efforts.
B
So
we
are
zeroing
in
on
the
1.0,
a
final
draft
and
any
get
your
changes
requests
and
now
any
other
changes
after
those
dates
will
be
pushed
into
the
backlog
for
year,
two
or
Beyond
any
questions
about
the
Education
City
and
there's
a
link
there.
That
is
the
the
landing
page
for
the
full
plan.
B
I
E
A
Mr
Wheeler
yeah,
so
I'm
looking
over
the
2-0
plan
and
here's
the
blob
that
I'm
looking
at
now,
we
I
know
we
had
earlier
had
short
lists,
and
then
we
have
an
expansion
and
I'm
not
sure
what
happened
between
the
short
and
this
longer
list,
but
I'm,
okay
to
delay
a
little
bit
on
the
K-12
I
I.
Don't
really
see
that
but
I
I
think
we're
gonna
need
to
get
the
met.
You
know
some
sort
of
management.
A
You
know
training
for
managers,
not
manage
the
training,
which
is
what
2o
only
seems
to
discuss
if,
if
it's
there
and
I
missed
it,
please
point
it
out
to
me,
but
somehow
in
between
our
high
level
discussions
and
writing
this
down.
I
I'm,
not
seeing
it
don't
miss
it
and
admit
my
apologies
I'm
doing
too
many
things,
and
sometimes
things
get.
A
Yeah
but
I
don't
but
okay,
so
that's
a
shouldn't
that
be
reflected
in
part.
Two
expansion
of
the
training.
B
A
And
it
will
all
be
completely
consistent,
yeah,
okay!
So
that's
that's
a
particular
Bugaboo
that
we
didn't
have
in
the
original
mobilization
plan,
but
that
was
really
one
of
the
first
things
that
a
lot
of
the
government
folks
came
back
to
it.
They're
right,
that's
right!.
A
Awesome
all
right,
I'm
actually
interested
in
doing
that
Crow,
but
not
only
just
the
write.
A
Write
my
name
down
not
of
that,
but
I
might
even
be
willing
to
to
try
because
yeah
there
you
go
because
I
think
that's
you
know
it's
all
nice
and
well
to
say:
hey
it's
important
for
people
developers
to
know
it,
but
if
we
don't
get
the
the
managerial
side
on
board,
it's
it's
not
going
to
have
much
of
a
push
and.
B
For
those
of
us
that
don't
also
participate
actively
in
the
education
Sig,
education
Sig
is
putting
together
this
proposal
for
a
a
large
body
of
artifacts
that
we
will
produce
and
then
go
out
and
train
different
learner
types
through
different
channels,
like
a
college
class
through
an
online
computer-based
class
through
labs,
and
once
that
plan
is
approved,
we
will
need
the
generous
contributions
of
many
people
and
the
Sig
will
be
coming
back
to
this
working
group.
B
B
E
A
E
A
B
All
right
so
I
am
we
have
a
guest
today.
Awesome
has
stopped
by
to
give
us
a
short
presentation,
so
I'm
going
to
skip
and
do
that
and
then
we'll
Circle
back
and
hit
the
agenda
and
the
other
opens
so
know
them
if
you'd
like
to
take
away.
If
you
have
anything
to
share,
show
us-
or
if
this
is
just
verbal,
you
know
take
it
away.
C
You
can
see
it
my
screen-
yes,
indeed
great,
so
I
wanted
to
talk
with
you
guys
about
the
GitHub
security
best
practices.
Actually
I
had
two
things
to
show
you
today,
but
I'm,
not
sure
about
the
second
one.
So,
let's
begin
a.
C
A
C
A
couple
of
months
ago,
I
saw
a
message
in
the
slack
channel
that
someone
asked
if
this
working
group
have
a
GitHub
best
practices
document,
not
sure
if
the,
if
he's
here-
and
that
sounds
like
a
great
idea
for
me
and
legit-
it's
legit-
we,
we
analyze
a
SDC
assets,
GitHub
git,
lab
bitbucket,
Jenkins
and
we've
seen
many
many
types
of
organizations
and
security
and
misconfigurations,
and
we
have
pretty
good
knowledge
about
these
areas
and
we
thought
it
could
be
a
good
opportunity
to
contribute
back
and
to
help
create
such
documents
together
with
this
working
group,
okay,
so
a
H.
C
C
Additionally,
in
open
source
projects,
a
there
is
even
a
it's
even
more
important,
because
the
internal
configuration
is
open
for
everyone.
So
if,
for
example,
I
I
go
to
an
or
a
popular
open,
open
source
project
and
I
save
a
GitHub
actions,
workflows
and
pipelines,
I
can
say
that
is
misconfigured
and
I
can
as
an
attacker
a
exploited
because
I
know
the
internals.
C
C
C
To
this
we
call
it
namespaces
database
organization,
organizations
and
organizations,
and
misconfigurations
such
as
MFA
is
not
enabled
SSO
is
not
used.
You
have
repository
misconfigurations,
which
is
like
peer
review,
is
not
a
mandatory
or
the
repository
allows
forking
or
it's
public.
You
have
members
style
members,
a
GitHub
actions
related
misconfigurations
code
spaces
and
Runners.
There
are
many
areas
in
the
GitHub
platform
that
devops
Engineers
need
to
know
and
understand,
and.
C
B
C
J
C
And
pipeline
code
is
vulnerability,
command,
injection,
Etc.
D
H
C
A
A
Shortening
his
name
I
see
that
okay
well
I'm
I,
already
started.
I'll
start
start
unresponding
to
Dave,
so
I'm
going
the
other
way
yeah.
So
I
I
do
think
that
there
is
a
need
for
guidance
for
using
some
of
these
major
forges
like
GitHub
I,
don't
know
if
it
makes
sense
to
have
a
single
doc
that
covers
multiple
or
a
single
dock
per
each
I
wouldn't
be
surprised
if
it
make
more
sense
to
like
one
for
GitHub
and
a
step.
One
forget
lab
because
their
user
I
mean
there
are.
A
There
are
overlaps
and
functionality,
but
the
user
interfaces
are
different
enough
that
it
would
probably
make
more
sense
to
have
separate
documents.
I
would
certainly
want,
if
at
all
possible
collaboration
with
the
respective
organizations,
so,
like
you
know,
recommended
configuration
for
for
GitHub
I
would
very
much
want.
You'd
have
to
be
involved.
A
Let
me
kind
of
ask
the
elephant
in
the
room
question,
because
somebody's
gonna
ask
it
sooner
or
later
so,
let's,
let's
confront
it
head
on
hey
that
sounds
like
github's
problem
like
GitHub.
Do
it
I
think
there's
some
answers
for
it,
but
before
we
take
on
work,
I'm
always
happy
to
let
other
people
do
work
instead
of
us.
We
have
limited
time
that
we
can
do
things
and
granted
scorecards
does
hit
a
little
bit
on
some
GitHub
recommended
configurations.
A
But
do
we
have
an
answer
for
that
question
and
if,
if
not,
maybe
we
should
kind
of
think
that
through.
C
And
my
opinion
is
that
GitHub
provides
like
a
lot
of
information.
They
have
very
detailed
the
the
descriptions
of
the
features,
but
you
have
to
make
something
that
is
simple
and
digestible
for
the
users
and.
A
Okay,
all
right,
so
so
let
me
rephrase
what
you
just
said.
Tell
me
if
I
I,
because
sometimes
I
I
find
it
sometimes
useful,
to
paraphrase
something
to
see
if
I
got
it.
So
the
issue
is
that
github's
trying
to
provide
a
very
general
service
with
lots
of
General
functionality,
but
that
can
be
complicated
to
figure
out
how
to
use
something.
That's
more
opinionated
that
says:
hey,
there's
lots
of
ways
to
do
it,
but
here's
a
happy
path
with
some
specific
opinions
that
will
quickly
get
you
where
you
need
to
go.
C
Yeah
and
additionally,
I
think
that
there
is
more
knowledge
for
the.
H
C
Of
like
GitHub
create
the
platform,
but
companies
use
the
platform
in
many
ways
and
they
have
many
use
cases
and
it's
not
a
one-to-one
relation.
So
there
is
some
interaction:
interaction
between
the
misconfiguration
without
everyone,
everything
is
straightforward
and
there
is
a
lot
of
research
about
this
stuff
and
yeah.
B
J
Yeah
I'd
like
to
add
a
comment,
but
I'm
not
against
the
kind
of
document.
What
time?
What
I'm
really
really
missing
here
is
the
why
we
have
a
quite
many
list
of
the
things
developers
should
do,
but
what
I'm
facing
in
practice
is,
for
example,
for
the
two-factor
dedications
people
say,
but
why?
Why
should
I
use
it?
I
don't
want.
It
requires
me
to
have
a
phone
app
or
whatever
I,
don't
like
it.
J
C
Okay,
so
if
there
are
not
further
questions,
let
me
continue
to
the
second
part,
so
actually
I
wanted
to
present
an
open
source
tool
with
developed
after
being
grabbed
in
this
call,
I'm
not
sure
if
this
is
the
right
walking
group,
because
if
I
understand
correctly,
you
are
focused
on
creating
education
and
content
and
less
about
specific
tools.
C
Okay,
perfect,
okay,
so
so
we
we've
developed,
developed
and
open
source
store
that
scans
GitHub
for
misconfiguration
security
issues.
C
Project
in
that
scorecard
is
focused
on
a
specific
Repository,
and
this
looks
holistically
on
the
wall.
Github
assets
organization,
members
get
directions
all
of
the
repositories
of
the
planners
and
give
you
a
detailed
list
of.
Where
are
the
problems,
and
if
you
don't
mind,
I'd
be
happy
to
present
it.
Here's
a
quick
demo
yeah.
C
C
C
Yeah
so
let's
start
with
a
simple
command
that
will
show
us
what
assets
the
provided
token
has
access
to.
So
you
can
see
all
my
organizations
and
what
are
my
permissions
or
a
lot
of
organization
and
then.
H
H
C
And
then
you
get
a
a
detailed
table
that
summarize
all
of
your
problems
and.
J
C
Namespace,
you
can
see
that
you
have
different
name,
spaces
organization,
actions,
member
and
repository.
You
have
the
specific
policy
that
is
violated
and
how
many
of
your
assets
have
passed,
failed
or
skipped
skip
this
when
you
don't
provide
sufficient
permissions,
and
this
is
the
summarize
table
and
if
you
go
up,
you
have
a
data
description
for
each
violation.
So
let's
go
here.
For
example,
we
can
see
the
the
policy
default.
C
Branch
allows
pushers
to
protect
the
protect
the
branch
you
have
description,
you
have
the
remediation
steps
and
which
assets
violates
the
policy,
and
this
this
way
is
easy
to
to
solve
the.
C
And
we
also
provide
a
Json
output,
so
it
can
be
consumed
by
software
and
we
we
had
it's.
It
has
an
evolving
list
of
misconfigurations.
We
research
GitHub
for
problems,
the
all
the
time
and
foreign
configurations
all
the
time
and
we
keep
adding
new
policies.
So
it's
a
living
tool
and
yeah.
A
I'm
a
little
confused.
You
said
it
looked
more
at
the
organizations,
but
a
lot
of
these
reports
look
like
they're
per
Repository,
maybe
maybe
a
misunderstanding,
something.
C
So
you
have
many
misconfigurations
for
repository
because
of
the
Brand's
protection
rules,
and
this
is
like
the
heart
of
the
sort
of
the
software.
But
we
provide
misconfiguration
for
okay.
A
A
C
B
So,
do
you
have
any
plans
to
extend
this
tool
to
other
source
code
repositories,
or
are
you
only
ever
going
to
focus
on
GitHub.
C
We
are
planning
to
add
the
gitlab
support
in
the
next
few
months
couple
of
months
cool,
but
if
I
connect
this
question
to
the
previous
one
about
the
documents
which
should
be
either
one
for
all
the
sem's
or
different
ones,
I
do
agree
that
we
should
make
different
documents
for
each
social
management,
because.
C
A
I
I
have
to
admit
I
I
wouldn't
be
surprised
if
you
made
a
per
document
for
these
different
forges,
but
then
immediately
try
to
unify
as
much
as
possible,
because
although
there
there
are
like
a
pull
request
in
GitHub
is
a
merge
request
in
get
lab.
However,
there's
a
whole
lot
of
commonality
between
some
of
the
things
that
some
of
the
things
that
you
most
want
to
enforce
are
things
that
are
commonly
supported,
though
not
always
by
the
same
name.
C
C
Extend
this
and
this
and
say
that
when
we
search
for
vulnerabilities
inside
in
this
those
projects
there
are
similarities
between
the
vulnerabilities
inside
the
source
code
is
similar.
It's
also
internally,
which
is
interesting.
A
I'm
very
intrigued,
I
would
love
to
see
the
rule
set
of
this.
Now
you
you
made
a
statement
earlier,
so
I
I
just
want
to
come
forward
and
say
it.
This
is
totally
within
scope
of
this
group.
I
mean
scorecards.
Does
the
similar
kind
of
thing
at
a
project
level
you're,
including
both
you
are?
You
are
doing
things
in
org
level,
although
a
lot
of
these
frankly
look
at
a
repo
level,
and
that's
fine
too
so,
but
I
think
this
is
totally
within
scope
of
this
group.
A
B
I'm
not
disagreeing,
but
you
know
if
this
was
something
we
would
want
to
adopt.
We
would
want
to
put
it
to
the
working
group
as
a
vote.
Oh.
E
H
B
Thing
with
the
the
best
practices
guidance-
that
is
something
we
do,
although
I'm
we
try
to
remain
as
vendor
neutral
as
possible,
so
I
would
be
hesitant
to
do
something
on
a
specific
focus
on
a
specific
technology.
A
Right
and,
for
example,
the
scorecards,
the
current
implementation
only
works
on
GitHub.
However,
I
worked
with
the
scorecards
folks
to
make
sure
that
all
the
criteria
are
neutral,
they're
not
specific
to
GitHub
at
all,
and
it's
only
the
current
implementation
and
there's
been
some
effort.
The
the
intent
is
to
move
Beyond.
B
A
A
A
A
Excellent
okay,
we're
gonna
put
that
okay,
the
chat
this
by
the
way
goes
away
when
our
thing
closes.
B
A
E
B
H
A
H
Right,
sorry,
no
I
just
wanted
to
express
support,
I
mean
you
know.
As
long
as
we
keep
in
mind,
the
vendor
neutrality
aspect
and
everything
I've
seen
in
the
presentation
seems
to
support
that
ideal.
So
yeah
this
looks
really
good
and
I.
Don't
think
it
I
think
it
feels
to
me
like
it
would
be
a
good
compliment
for
scorecards.
C
B
Like
for
integration
options,
we
would
have
to
go
to
the
scorecard
project
and
talk
with
them
kind
of
like
how
we
had
you
know
best
practices
and
SKF
talking
kind
of
arranging
out
of
band
how
they
might
better
synchronize.
So
you
need
to
probably
have
you
go
talk
with
the
with
Laurent
and
azim
and
everyone
and
the
scorecards
group
to
kind
of
present
to
them
and
share
your
ideas,
specifically
with
any
kind
of
integration
there.
A
There
are
many
ways,
including
Federation
approaches,
I
mean
the
best
practices
badge
and
the
scorecards
scorecards
takes
the
totally
automated
best.
Practices
takes
the
mostly
form
filling
with
some
Automation,
and
the
integration
is
basically
the
scorecards
Yanks
in
the
back.
The
badge
info
were
available,
so
there
are
many
ways
to
skin
this
cat
step.
One
is
to
discuss.
A
Yeah,
no
more
I
I
got
the
GitHub
link
to
the
legitify
overall
page.
Is
there
one
that's
more
specific,
with
the
rules
that
you've
got
because
I
I
think
those
are
that's?
The
the
cool,
especially
cool
nugget,
is
all
the
things
you're
looking
for
yeah,
okay,
legitify.dev?
Okay,
that's
that's
the
thing
I
wanted
to
know.
Yeah.
C
C
B
So
if
there
is
something
specific
you
want
to
propose
for
the
group
like
if
we
want
to
collaborate
on
the
source
code,
best
practices
or
even
about
a
kind
of
yeah,
including
your
tool
as
part
of
our
working
group,
we'll
put
an
issue
we'll
need
to
put
an
issue
together
and
kind
of
talk
through
that
and
then
have
the
we'll.
Have
the
whole
group
vote
on
that.
C
C
B
Thanks
I
apologize
to
David
a
we
ran
out
of
time.
If
you
could
come
back
in
two
weeks
and
talk
about
your
guidance
portal
idea,
we'd
love
to
hear
that,
if
you're
available
guidance.
E
B
B
And
as
Dan
mentioned
at
the
top
of
the
call,
we
have
a
couple
issues
we're
looking
for
some
closure
or
comments
on.
Please
take
some
time
and
look
at
issue
99
and
97,
and
those
affiliated
with
that
please
add
comments
or
get
us
closer
to
a
closure
on
those.
Please
ramble.
A
All
right
and
I
would
propose
that
David
have
alcantar
have
prior
to
play
me
step
one,
since
we
unintentionally
bumped
you
and
I'm.
Very
sorry,
I
didn't
realize
that
was
happening.
E
It
was
genuinely
very,
very
educational
information
on
me,
I,
don't
know
much
about
what
you
guys
are
working
on
here
and
I
feel,
like
maybe
there's
a
little
bit
of
overlap
with
what
I
wanted
to
talk
about,
but
that
this
was
a
good
start
for
me.
So
thank
you.
I
appreciate
it
excellent.
B
Well
check
out
our
repo,
and
you
know
cruise
through
the
meeting
notes,
to
kind
of
see
what
we're
working
on
I
want
to.
Thank
everybody
for
your
time
and
attention
today.
I
appreciate
it
good
call.
Thank
you
to
Noam
for
presenting
your
ideas
today
and
we
will
meet
again
in
two
weeks.
Cheers
all.