Merge branch 'main' into wasmedge/project_security_self_assessment

cncf · Nov 6, 2024 · 18007c4 · 18007c4
2 parents 0dcbc6a + 75b01d3
commit 18007c4
Show file tree

Hide file tree

Showing 32 changed files with 692 additions and 62 deletions.
diff --git a/README.md b/README.md
@@ -6,7 +6,6 @@
 
 - [Meeting Information](#meeting-information)
 - [Slack Information](#communications)
-- [Members](#members)
 - [Working Groups](#working-groups)
 
 ## About Us
@@ -56,6 +55,7 @@ Join our open discussions and share news:
 
 - **Americas**: Weekly on Wednesdays at 10 am (UTC-7). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/92340369657?password=76e24ffd-69f2-41a8-8aed-13796805225d), Meeting ID: 923 4036 9657.
 - **EMEA**: Bi-weekly on Wednesdays at 1 pm UTC+0 (adjusts for daylight saving). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/98348738138?password=70e6a945-563a-491f-8485-ecf7394ec13a), Meeting ID: 983 4873 8138.
+- **APAC**: Bi-weekly on Wednesdays at 11 am (UTC+9). [Zoom link](https://zoom-lfx.platform.linuxfoundation.org/meeting/94315508827?password=0d7eaab8-a217-4c1b-b0a5-27ceded5743f), Meeting ID: 943 1550 8827.
 
 Check your local timezone [here](https://time.is/). Meetings are listed on the [CNCF calendar](https://www.cncf.io/calendar/) and the [TAG Security Calendar](https://calendar.google.com/calendar/u/0?cid=MGI4dTVlbDh0YTRzOTN0MmNtNzJ0dXZoaGtAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ).
 
@@ -70,10 +70,6 @@ If you are new to the group, we encourage you to check out our
 
 Explore groups affiliated with or relevant to Security TAG [here](governance/related-groups/README.md)
 
-## Members
-
-<!-- cSpell:disable -->
-
 ## Leadership
 
 Details about the TAG Chairs, Tech Leads, and TOC Liaisons can be found on the [CNCF Technical Advisory Groups (TAGs) information page](https://github.com/cncf/toc/blob/main/tags/cncf-tags.md)
@@ -88,14 +84,15 @@ The TAG's working groups focus on specific areas and organize most community act
 These groups facilitate discussions, engagement, and publications with key stakeholders, operating differently based on their needs.
 Each group, led by a responsible leader, reaches consensus on issues and manages logistics. All materials, such as reports, white papers, documents, and reference architectures, are in the repository's /community directory.
 
-| Project | Leads |
-|---------------------------------|---------------------------------------------|
-| [Automated Governance](/community/working-groups/automated-governance/README.md) | Matthew Flannery, Brandt Keller |
-| [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres |
-| [Compliance](/community/working-groups/compliance/README.md) | Anca Sailer, Robert Ficcaglia |
-| [Controls](/community/working-groups/controls/README.md) | Jon Zeolla |
-| [Security Reviews](/community/assessments/README.md) | Justin Cappos, Eddie Knight|
-| [Software Supply Chain](/community/working-groups/supply-chain-security/README.md) | Marina Moore, Michael Liebermann, John Kjell |
+| Project | Leads | STAG Rep |
+|---------------------------------|---------------------------------------------|---------------------------------|
+| [Automated Governance](/community/working-groups/automated-governance/README.md) | Brandt Keller | Matthew Flannery |
+| [Catalog of Supply Chain Compromises](/community/catalog/README.md) | Santiago Arias Torres | Marina Moore |
+| [Commons](/community/working-groups/commons/README.md) | Eddie Knight | Marco De Benedictis |
+| [Compliance](/community/working-groups/compliance/README.md) | Anca Sailer, Robert Ficcaglia | Brandt Keller |
+| [Controls](/community/working-groups/controls/README.md) | Jon Zeolla | Brandt Keller |
+| [Security Reviews](/community/assessments/README.md) | Justin Cappos | Eddie Knight |
+| [Software Supply Chain](/community/working-groups/supply-chain-security/README.md) | Michael Lieberman, John Kjell | Marina Moore |
 
 ## Additional information
 

diff --git a/ci/lint-config.json b/ci/lint-config.json
@@ -4,5 +4,8 @@
         "code_blocks": false,
         "tables": false,
         "line_length": 512
+    },
+    "MD024": {
+        "siblings_only": true
     }
 }
diff --git a/ci/spelling-config.json b/ci/spelling-config.json
@@ -8,6 +8,8 @@
     "words": [
         "ABAC",
         "addfetnetgrent",
+        "AEST",
+        "Anca",
         "Aniszczyk",
         "antifragile",
         "APAC",
@@ -55,7 +57,9 @@
         "exploitability",
         "Expressibility",
         "Fianu",
+        "Ficcaglia",
         "FIPS",
+        "Flannery",
         "Flibble",
         "frontmatter",
         "Gamal",
@@ -65,8 +69,8 @@
         "GUAC",
         "helm",
         "HIPAA",
-        "HITRUST",
         "Hirschberg",
+        "HITRUST",
         "hotspots",
         "hyperconverged",
         "Inclusivity",
@@ -79,6 +83,7 @@
         "kata",
         "KETRMAX",
         "keycloak",
+        "Kjell",
         "Kube",
         "kubecon",
         "Kubernetes",
@@ -174,6 +179,7 @@
         "Virtool",
         "Wolt",
         "Yubi",
-        "Zalman"
+        "Zalman",
+        "Zeolla"
     ]
 }
diff --git a/community/assessments/projects/containerd/self-assessment.md b/community/assessments/projects/containerd/self-assessment.md
diff --git a/community/assessments/projects/flatcar/joint-assessment.md b/community/assessments/projects/flatcar/joint-assessment.md
@@ -44,7 +44,7 @@ Compromising the update server would allow an attacker to “un-publish” a new
     <br/>2. Maintainers: That's a good catch, I've added 1.c. to discuss repository settings.
 11. SSH credential password enforcement
 12. 2FA for code repositories, build infrastructure, and VPN access
-13. Usage of soft/hard tokens as opposed to SMS 2FA as per [CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
+13. Usage of soft/hard tokens as opposed to SMS 2FA as per [CNCF_SSCP_v1.pdf](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
 14. Consider preventing any outbound internet access to the build infrastructure, to avoid command and control for hostile actors
 
 

diff --git a/community/assessments/projects/fluentd/fluentd/self-assessment.md b/community/assessments/projects/fluentd/fluentd/self-assessment.md
@@ -172,7 +172,7 @@ Fluentd is the default standard to solve Logging in containerized environments,
   - Security vulnerabilites are to be reported at https://github.com/fluent/fluentd/security/advisories, as stated in their [security policy](https://github.com/fluent/fluentd/blob/master/SECURITY.md)
 * Incident Response.  
   -  Fluentd is trying to follow supply chain security using [DCO](https://probot.github.io/apps/dco/)  
-    [(Supply chain security)](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)  
+    [(Supply chain security)](https://github.com/cncf/tag-security/blob/main/community/working-groups/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
   - Because Fluentd is built on top of the Ruby Ecosystems, they must also check the licenses of dependent gems.
 
 ## Appendix