►
From YouTube: Supply Chain Integrity WG (March 30, 2022)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
So
I
saw
a
handful
of
things
on
the
agenda
yeah,
so
I'm
not
sure
how
much
time
they're
gonna
take
up,
but
I
should
give
us
something
to
chat
through
today.
A
A
A
B
So
I'll
take
this
opportunity.
My
name
is
trish
taro,
I'm
with
dao,
I'm
recently
promoted
to.
I
don't
know
if
it's
a
good
thing:
dependency
management,
product
manager,
so
I'm
kind
of
not
technically
supply
chain,
but.
D
This
is
christine
ivan
at
the
end
when
the
f5
and
I
might
have
joined,
like
the
latter
half
of
the
last
meeting,
but
didn't
have
a
chance
to
introduce
myself.
So
I'm
with
the
oscar
open
source
program
office
at
f5,
so
leave
that
office
and
just
come
here
to
look
and
just
learn
more
nice.
Where
are
you
both
located?
D
E
Hi
and
this
I'm
jason
swank,
I
sort
of
lurked
two
weeks
ago,
so
I'm
from
sonotype
I
run
maven
central,
which
is
a
package
registry
for
the
java
ecosystem.
A
All
right
checking
for
bill
one
more
time.
A
Okay,
I
left
a
comment
here
too,
so
this
was
a
little
confusing.
It
says:
cncf
donation
we're
not
the
cncf,
so
I'm
not
sure
if
there
was
a
little
bit
of
confusion
or
bill,
maybe
found
the
wrong
place
so
feel
free
to.
If
you,
if
you
do
reach
him,
feel
free
to
maybe
get
some
clarification
there.
A
Okay,
I
guess
we'll
jump
down
to
the
hardened
runner
varun.
I
think
I
saw
you
on
the
call.
Do
you
want
to
take
the
next.
C
Yeah
sure
and
just
to
you
know,
introduce
myself
I'm
varun
and
I'm
the
founder
of
step
security,
and
before
that
I
was
at
microsoft
for
15
years.
A
Yeah
yeah
go
ahead
and
take
it
over
while
you're
setting
that
up
too
I'll.
Just
make
a
note,
there's
a
but
yeah
there's
a
bunch
of
different
projects
on
the
agenda
today.
I
believe
that
the
open
ssf
and
the
tac
I
haven't.
I
can't
make
the
tac
meetings
due
to
the
time
conflict
for
me,
but
I
think
we're
still
even
working
through
on
the
foundation
side
more
like
organization
and
structure
around
the
working
groups,
and
so
I'm
not
sure.
A
Maybe
someone
on
the
call
actually
knows
some
of
the
latest
around
what's
going
on
in
terms
of
new
projects
and
how
that
stuff
is
shaping
up
david.
Do
you
have
an
update
there.
G
I
normally
I
would,
but
for
personal
reasons
I
have
I've
had
to
be
a
little
less
connected
recently.
Okay,
so
others
may
be
the
maybe
the
better
source
jock.
H
Yeah
there
is
a
lot
of
work
going
on
around
tag
oversight
of
groups.
There
is
a
big
push
from
tac
to
ensure
that
everybody
has
dotted
their
eyes
and
crossed
their
t's
in
terms
of
the
paperwork.
H
You
may
have
seen
issues
in
the
repo,
I'm
not
sure
if
they
got
to
this
one
asking
for
a
charter,
any
share
drives,
you
have
getting.
The
email
is
email,
mailing
lists,
sort
of
that's
gonna,
be
another
thing.
H
So
there's
there's
a
lot
of
work
going
on,
there's
also
sort
of
work
around
governance,
questions
to
make
sure
that
everything
is
smooth
and
laid
out.
Does
that
help.
A
Yeah
cool
yeah,
so
I
think
we're
happy
to
see
the
see
the
demo
today
and
this
this
will
be
recorded,
so
we
can
always
reference
it
back
later,
but
just
kind
of
know
that
things
are
still
a
little
bit
up
in
the
air
or
being
subtle.
Now
I
guess
is
the
right
way
to
put
it
for
the
on
the
foundation
level.
So
all
right
anyway,
varun
go,
go
ahead.
C
So
I've,
actually,
you
know
demoed
this
a
couple
of
times
in
different
ossf
meetings,
although
this
is
the
first
time
attending
the
this
working
group
meeting.
So
for
some
of
you,
it
might
actually
be
a
repeat
so
just
to
give
a
background
on.
You
know
what
why
this
has
been
created.
So
what
what
I'm
gonna
demo
is
is
an
agent
security
agent
for
the
github
posted
runner,
and
you
know
the
reason
behind
creating.
This
was
just
looking
at
some
of
the
past
incidents.
And
what
was
you
know?
C
What
were
those
you
know,
compromise
dependencies
and
tools
doing
so
as
an
example,
in
the
dependency
confusion,
you
know
there
was
dns
acceleration
that
was
used
to
exfiltrate
some
metadata
about
the
build
server
and
the
codecof
breach.
There
was
again
exfiltration
of
credentials
from
you
know,
hundreds
you
know
thousands
of
build
servers
and
it
was
not
detected
for
a
couple
of
months,
and
so
that's
that's.
C
You
know
the
the
reasoning
behind
building
this
agent
for
the
build
server
in
order
to
improve
monitoring,
and
what
I'll
do
today
is
to
give
a
quick.
You
know
demo
of
couple
of
scenarios,
so
the
first
one
in
fact
is
this.
C
You
know
a
few
npm
packages,
not
few
quite
a
lot
of
them
that
were
released
into
the
public
registry
a
few
days
back,
and
there
was
this
list
that
was
in
fact
published
on.
You
know
the
ossf
slack,
and
so
in
here
you
know
some
of
them
have
been
added
to
the
package.json
file
and
in
the
workflow
you
know
this
is
how
one
can
add
this
agent.
It
gets
installed
using
a
github
action,
so
step
security,
hard
and
runner,
and
then
you
can
set
allowed
endpoints
in
this
case.
C
It
gets
you
know
it
downloads,
the
agent
installs
it
in
the
in
the
pre-step
and
then,
as
you
can
see
here,
you
know
this
is
where
the
outbound
traffic
from
these
malicious
packages
has
been
detected.
So
in
this
first
case
you
know
it's
a
it's
a
very
long
domain
name,
but
this
was
actually
a
dns
exfiltration.
So
there's
a
dns.lookup
happening
in
the
package
and
then
this
one
is
is
an
actual
connection.
C
So
this
is
sort
of
one
of
the
scenarios
for
which
it's
been
built
that
you
know,
if
there's
a
compromised
dependency
that
generally
tends
to
make
outbound
calls,
then
it
can
detect
that
so
I'll
just
pause
for
you
know-
and
let
me
know
if
you
have
any
questions
before
I
move
to
the
second
scenario.
G
C
So,
in
this
example,
it
was
set
to
it
was
just
set
to
two
of
these
allowed
domains.
You
know
github.com
and
registry.npm.js,
so
anything
other
than
this.
That
gets
called
during
the
job.
It's
going
to
block
it's
going
to
block
the
dns
resolution
of
it
and
you
know
if
it's
making
a
direct
call
to
an
ip
address.
C
So
the
next
you
know
next
one
is-
and
this
is
this
is
actually
the
scorecard.
The
project
recently
started
using
harden
runner,
and
this
is
currently
in
the
audit
mode.
So
when
you
actually,
you
know,
set
it
up,
the
first
step
would
typically
be
to
run
it
in
audit
mode.
Unless
you
already
know
the
outbound
endpoints
and
so
in
here.
C
So
what
what
I
want
to
show
him
here
is
that
another
of
the
detections
is
to
detect
a
source
code
file
overwrite.
You
know-
and
in
this
case
it's
a
false
positive,
but
the
intent
is
that
for
a
release
build
you
know.
Ideally
the
source
code
shouldn't
really
be
modified
on
the
build
server.
So
in
this
case
it
monitors
each
file
right
which,
if
and
if
it
is
a
source
code,
it
has
a
list
of
extensions
associated
with
source
files.
C
C
So
this
is
the
other
scenario
and
going
back
to
the
you
know
the
question
about:
how
do
you
set
endpoint?
So
when
you
click
on
this
insights
link,
it
actually
gives
this
sort
of
a
process
monitor
view
of
what
happened
during
the
build.
You
know
what
process
was
called
and
what
outbound
call
was
made
and
then
for
each
job.
C
C
But
yeah:
that's
that
that
that
was
all
for
the
demo
and
love
to
get
feedback.
You
know
what
any
other
questions.
C
Yeah,
I'm
not
sure
you
know,
I
think
I'll
have
to
reach
out
and
see
if
it
can
be
added
as
part
of
the
the
default
vm.
A
Cool
thanks
for
the
demo,
any
other
questions
from
roone
matt
says
very
cool
idea
in
the
chat
just
see.
If
you
caught
that,
I
don't
see
any
other
okay
phil
can't
make
it.
A
I
We're
kind
of
a
little
confused
about
the
the
sort
of
hands.
What
hands-on
keyboard
steps.
We
need
to
take
to
make
sure
that
the
github
org
we
have
falls
under
open
ssf.
I
know
that
it's
it's
one
of
those
things
where
also
it's
not
like
just
a
single
github
repo,
because
we're
also
trying
to
show
off
hey
here's.
What
a
bad
example
looks
like,
and
we
don't
want
some
of
that
to
literally
exist
under
ossf,
and
you
know
we
want
to
show
like
hey
here's.
I
What
happens
when
you
put
bad
permissions,
and
you
know
those
sorts
of
things
that
are
all
part
of
that
project
and
so
we're
just
sort
of
curious
what
that
sort
of
takes
and
then
also
like
moving
forward.
You
know:
are
there?
Is
there
governance
around
stuff
like
weekly
meetings
for
that
project
and
so
on
and
so
forth,
like?
How
do
we
get
all
set
up
in
there.
G
May
I
jump
in
yeah
so
as
far
as
the
technical
hands
on
keyboard,
how
to
get
in
what
I'd
suggest
is:
first
contact,
jori,
berson,
I'll
I'll,
post
the
email
and
if
she
struggles
dump
it
on
me,
I've
I've
been
for.
So
I
think
some
of
you
aware
have
been
more
or
less
not
very
valuable
last
couple
weeks,
but
that's
do
some
personal
issues,
but
I
am,
I
am
back
so
so
basically,
jury
and
then
me
and
we'll
make
things
happen
from
a
oh
hello,
cat
yo.
G
As
far
as
you
know,
as
far
as
we
we've
actually
already
handled
once
the
hey
I've
got
so
many
repos.
I
need
a
different
organization
there.
You
know,
there's
a
huge
collection
of
sample
code,
that's
vulnerable
and
not
vulnerable,
for
testing
static
tools,
so
we
created
a
separate
org
for
that,
so
that
is
totally
doable.
G
I
And
then
would
that
also
be
majority
also
be
able
to
handle
stuff,
like
you
know,
setting
up,
let's
say,
meetings,
regular
meetings
for
the
project
or
whatever
that
fall
under
sort
of
open,
ssf
governance,
because
obviously
we
don't
want
to
have
any
sort
of
meetings
that
aren't
that
are
private
or
you
know,
or
you
know,.
G
G
She
can
get
stuff
on
the
calendar.
She
can
set
up
the
email,
so
that's
absolutely
what
she
that
that
is
one
of
her
key
roles
here.
So
yes,
now,
just
as
a
quick
note,
you
know,
a
number
of
working
groups
have
subgroups
within
them
that
have
their
own
meetings.
Whether
or
not
you
need
it.
It
kind
of
depends
on
the
pro
on
what
you're
up
to
so
there's
no
requirement
that
every
little
every
subgroup
have
its
own
separate
mailing
list
and
slack
channel
and
such.
G
But
if
you
need
it,
then
that's
great.
Let's
do
it,
but
you
know
I
I
also
you
know
if
you,
if
you
talk
and
and
want
to
discuss
once
a
year,
it
might
be
make
more
sense
just
within
this
working
group.
So
we
will
up
to
you
and
this
group,
oh.
A
For
ideas,
all
right,
good
to
know
cool,
that
is
all
we
have
on
the
agenda
today.
Does
anyone
else
have
anything
ad
hoc
they
want
to
discuss
quick
with
the
group?