From 50d5f61d7f9dfb88dd3639a1579304f504eaedd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9s=20Vega?= Date: Fri, 21 Jun 2024 12:51:14 -0700 Subject: [PATCH] Move assessments to community/assessments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Andrés Vega --- .../assessments}/Open_and_Secure.pdf | Bin .../assessments}/README.md | 61 +++++++++--------- .../assessments}/guide/README.md | 0 .../assessments}/guide/joint-assessment.md | 30 +++++---- .../guide/joint-readme-template.md | 18 +++--- .../assessments}/guide/project-lead.md | 4 +- .../assessments}/guide/review-survey.md | 0 .../assessments}/guide/security-reviewer.md | 19 +++--- .../assessments}/guide/self-assessment.md | 59 +++++++++-------- .../assessments}/intake-process.md | 12 ++-- .../assessments}/projects/README.md | 0 .../projects/antrea/self-assessment.md | 0 .../projects/buildpacks/README.md | 0 .../projects/buildpacks/self-assessment.md | 0 .../cert-manager/adalogics_diagram.png | Bin .../projects/cert-manager/self-assessment.md | 0 .../projects/cloudevents/images/apex-logo.png | Bin .../cloudevents/images/async-api-logo.png | Bin .../images/cloudevents-actions.png | Bin .../cloudevents/images/cloudevents-logo.png | Bin .../cloudevents/images/opentelemetry-logo.svg | 0 .../cloudevents/images/soap-evenlope.png | Bin .../cloudevents/images/soap-webservice.png | Bin .../projects/cloudevents/self-assessment.md | 0 .../projects/cni/docs/CNI-config.png | Bin .../projects/cni/docs/CNI-role.png | Bin .../cni/docs/lightweight-threat-assessment.md | 0 .../projects/cni/self-assessment.md | 0 .../projects/contour/self-assessment.md | 0 .../projects/coredns/self-assessment.md | 0 .../projects/cortex/self-assessment.md | 0 .../projects/cortex/threat-model.md | 0 .../projects/cubefs/self-assessment.md | 0 .../projects/custodian/c7n_attacks.drawio | 0 .../projects/custodian/c7n_attacks.png | Bin .../custodian/c7n_threat_assessment.png | Bin .../projects/custodian/joint-review.md | 0 .../projects/emissary-ingress/image-3.png | Bin .../emissary-ingress/self-assessment.md | 0 .../assets/component-overview.png | Bin .../external-secrets/assets/overview.png | Bin .../docs/stride-threat-model.md | 0 .../external-secrets/self-assessment.md | 0 .../projects/flatcar/joint-assessment.md | 0 .../projects/flatcar/self-assessment.md | 0 .../projects/fluentd/fluent-bit/README.md | 0 .../fluentd/fluentd/self-assessment.md | 0 .../projects/fluentd/plugins/README.md | 0 .../assessments}/projects/harbor/README.md | 0 .../harbor/docs/Harbor-architecture.png | Bin .../projects/harbor/docs/Harbor-history.png | Bin .../harbor/docs/blast-radius-and-recovery.png | Bin .../projects/harbor/self-assessment.md | 0 .../assessments}/projects/in-toto/README.md | 0 .../projects/in-toto/debian-rebuilder.png | Bin .../assessments}/projects/in-toto/kubesec.png | Bin .../projects/in-toto/self-assessment.md | 0 .../projects/jaeger/self-assessment.md | 0 .../karmada/docs/Karmada-architecture.png | Bin .../karmada/docs/Karmada-components.png | Bin .../projects/karmada/self-assessment.md | 0 .../projects/karmada/threatmodeling.md | 0 .../assessments}/projects/keycloak/README.md | 0 .../projects/keycloak/docs/image1.png | Bin .../projects/keycloak/docs/image10.png | Bin .../projects/keycloak/docs/image11.png | Bin .../projects/keycloak/docs/image2.png | Bin .../projects/keycloak/docs/image3.png | Bin .../projects/keycloak/docs/image4.png | Bin .../projects/keycloak/docs/image5.png | Bin .../projects/keycloak/docs/image6.png | Bin .../projects/keycloak/docs/image7.png | Bin .../projects/keycloak/docs/image8.png | Bin .../projects/keycloak/docs/image9.png | Bin .../projects/keycloak/self-assessment.md | 0 .../projects/knative/knative_dia.png | Bin .../projects/knative/recommendations.md | 0 .../projects/knative/self-assessment.md | 0 .../assessments}/projects/kyverno/README.md | 0 .../kyverno/images/kyverno-architecture.png | Bin .../images/kyverno-physical-architecture.png | Bin .../projects/kyverno/self-assessment.md | 0 .../projects/linkerd/self-assessment.md | 0 .../projects/longhorn/self-assessment.md | 0 .../projects/longhorn/threat-model.md | 0 .../projects/nats/doc/threat-modeling.md | 0 .../nats/images/NATS_Figure_1_Image.jpg | Bin .../projects/nats/self-assessment.md | 0 .../assessments}/projects/opa/README.md | 0 .../projects/opa/docs/document_model.png | Bin .../projects/opa/docs/request_response.png | Bin .../projects/opa/self-assessment.md | 0 .../open-telemetry/self-assessment.md | 0 .../projects/openfga/OpenFGA Playground.png | Bin .../projects/openfga/self-assessment.md | 0 .../projects/openkruise/self-assessment.md | 0 .../projects/openkruise/threat-model.md | 0 .../openmetrics/STRIDE Threat Modeling.pdf | Bin .../projects/openmetrics/self-assessment.md | 0 .../operator-framework/self-assessment.md | 0 .../assessments}/projects/pixie/README.md | 0 .../projects/pixie/self-assessment.md | 0 .../rook/Rook High-Level Architecture.png | Bin .../projects/rook/self-assessment.md | 0 .../projects/spiffe-spire/README.md | 0 .../projects/spiffe-spire/docs/image0.png | Bin .../projects/spiffe-spire/docs/image1.png | Bin .../projects/spiffe-spire/docs/image2.png | Bin .../projects/spiffe-spire/docs/image3.png | Bin .../projects/spiffe-spire/docs/image4.png | Bin .../projects/spiffe-spire/docs/image5.png | Bin .../projects/spiffe-spire/docs/image6.png | Bin .../projects/spiffe-spire/docs/image7.png | Bin .../projects/spiffe-spire/self-assessment.md | 0 ...thanos-high-level-arch-diagram-receive.png | Bin ...thanos-high-level-arch-diagram-sidecar.png | Bin .../thanos/res/workflow1.excalidraw.png | Bin .../thanos/res/workflow2.excalidraw.png | Bin .../projects/thanos/self-assessment.md | 0 .../projects/tikv/self-assessment.md | 0 .../tikv/src/imgs/distributed_transaction.png | Bin .../projects/tikv/src/imgs/layer.png | Bin .../projects/tikv/src/imgs/raft_consensus.png | Bin .../projects/tikv/src/imgs/sharding.png | Bin .../projects/tikv/src/imgs/tikv_wholepic.png | Bin .../projects/tikv/tikv-threat-model.md | 0 .../assessments}/projects/volcano/arch.png | Bin .../projects/volcano/recommendations.md | 0 .../projects/volcano/self-assessment.md | 0 .../projects/volcano/threat-analysis.md | 0 130 files changed, 110 insertions(+), 93 deletions(-) rename {assessments => community/assessments}/Open_and_Secure.pdf (100%) rename {assessments => community/assessments}/README.md (81%) rename {assessments => community/assessments}/guide/README.md (100%) rename {assessments => community/assessments}/guide/joint-assessment.md (65%) rename {assessments => community/assessments}/guide/joint-readme-template.md (71%) rename {assessments => community/assessments}/guide/project-lead.md (96%) rename {assessments => community/assessments}/guide/review-survey.md (100%) rename {assessments => community/assessments}/guide/security-reviewer.md (97%) rename {assessments => community/assessments}/guide/self-assessment.md (92%) rename {assessments => community/assessments}/intake-process.md (96%) rename {assessments => community/assessments}/projects/README.md (100%) rename {assessments => community/assessments}/projects/antrea/self-assessment.md (100%) rename {assessments => community/assessments}/projects/buildpacks/README.md (100%) rename {assessments => community/assessments}/projects/buildpacks/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cert-manager/adalogics_diagram.png (100%) rename {assessments => community/assessments}/projects/cert-manager/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cloudevents/images/apex-logo.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/async-api-logo.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/cloudevents-actions.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/cloudevents-logo.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/opentelemetry-logo.svg (100%) rename {assessments => community/assessments}/projects/cloudevents/images/soap-evenlope.png (100%) rename {assessments => community/assessments}/projects/cloudevents/images/soap-webservice.png (100%) rename {assessments => community/assessments}/projects/cloudevents/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cni/docs/CNI-config.png (100%) rename {assessments => community/assessments}/projects/cni/docs/CNI-role.png (100%) rename {assessments => community/assessments}/projects/cni/docs/lightweight-threat-assessment.md (100%) rename {assessments => community/assessments}/projects/cni/self-assessment.md (100%) rename {assessments => community/assessments}/projects/contour/self-assessment.md (100%) rename {assessments => community/assessments}/projects/coredns/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cortex/self-assessment.md (100%) rename {assessments => community/assessments}/projects/cortex/threat-model.md (100%) rename {assessments => community/assessments}/projects/cubefs/self-assessment.md (100%) rename {assessments => community/assessments}/projects/custodian/c7n_attacks.drawio (100%) rename {assessments => community/assessments}/projects/custodian/c7n_attacks.png (100%) rename {assessments => community/assessments}/projects/custodian/c7n_threat_assessment.png (100%) rename {assessments => community/assessments}/projects/custodian/joint-review.md (100%) rename {assessments => community/assessments}/projects/emissary-ingress/image-3.png (100%) rename {assessments => community/assessments}/projects/emissary-ingress/self-assessment.md (100%) rename {assessments => community/assessments}/projects/external-secrets/assets/component-overview.png (100%) rename {assessments => community/assessments}/projects/external-secrets/assets/overview.png (100%) rename {assessments => community/assessments}/projects/external-secrets/docs/stride-threat-model.md (100%) rename {assessments => community/assessments}/projects/external-secrets/self-assessment.md (100%) rename {assessments => community/assessments}/projects/flatcar/joint-assessment.md (100%) rename {assessments => community/assessments}/projects/flatcar/self-assessment.md (100%) rename {assessments => community/assessments}/projects/fluentd/fluent-bit/README.md (100%) rename {assessments => community/assessments}/projects/fluentd/fluentd/self-assessment.md (100%) rename {assessments => community/assessments}/projects/fluentd/plugins/README.md (100%) rename {assessments => community/assessments}/projects/harbor/README.md (100%) rename {assessments => community/assessments}/projects/harbor/docs/Harbor-architecture.png (100%) rename {assessments => community/assessments}/projects/harbor/docs/Harbor-history.png (100%) rename {assessments => community/assessments}/projects/harbor/docs/blast-radius-and-recovery.png (100%) rename {assessments => community/assessments}/projects/harbor/self-assessment.md (100%) rename {assessments => community/assessments}/projects/in-toto/README.md (100%) rename {assessments => community/assessments}/projects/in-toto/debian-rebuilder.png (100%) rename {assessments => community/assessments}/projects/in-toto/kubesec.png (100%) rename {assessments => community/assessments}/projects/in-toto/self-assessment.md (100%) rename {assessments => community/assessments}/projects/jaeger/self-assessment.md (100%) rename {assessments => community/assessments}/projects/karmada/docs/Karmada-architecture.png (100%) rename {assessments => community/assessments}/projects/karmada/docs/Karmada-components.png (100%) rename {assessments => community/assessments}/projects/karmada/self-assessment.md (100%) rename {assessments => community/assessments}/projects/karmada/threatmodeling.md (100%) rename {assessments => community/assessments}/projects/keycloak/README.md (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image1.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image10.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image11.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image2.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image3.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image4.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image5.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image6.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image7.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image8.png (100%) rename {assessments => community/assessments}/projects/keycloak/docs/image9.png (100%) rename {assessments => community/assessments}/projects/keycloak/self-assessment.md (100%) rename {assessments => community/assessments}/projects/knative/knative_dia.png (100%) rename {assessments => community/assessments}/projects/knative/recommendations.md (100%) rename {assessments => community/assessments}/projects/knative/self-assessment.md (100%) rename {assessments => community/assessments}/projects/kyverno/README.md (100%) rename {assessments => community/assessments}/projects/kyverno/images/kyverno-architecture.png (100%) rename {assessments => community/assessments}/projects/kyverno/images/kyverno-physical-architecture.png (100%) rename {assessments => community/assessments}/projects/kyverno/self-assessment.md (100%) rename {assessments => community/assessments}/projects/linkerd/self-assessment.md (100%) rename {assessments => community/assessments}/projects/longhorn/self-assessment.md (100%) rename {assessments => community/assessments}/projects/longhorn/threat-model.md (100%) rename {assessments => community/assessments}/projects/nats/doc/threat-modeling.md (100%) rename {assessments => community/assessments}/projects/nats/images/NATS_Figure_1_Image.jpg (100%) rename {assessments => community/assessments}/projects/nats/self-assessment.md (100%) rename {assessments => community/assessments}/projects/opa/README.md (100%) rename {assessments => community/assessments}/projects/opa/docs/document_model.png (100%) rename {assessments => community/assessments}/projects/opa/docs/request_response.png (100%) rename {assessments => community/assessments}/projects/opa/self-assessment.md (100%) rename {assessments => community/assessments}/projects/open-telemetry/self-assessment.md (100%) rename {assessments => community/assessments}/projects/openfga/OpenFGA Playground.png (100%) rename {assessments => community/assessments}/projects/openfga/self-assessment.md (100%) rename {assessments => community/assessments}/projects/openkruise/self-assessment.md (100%) rename {assessments => community/assessments}/projects/openkruise/threat-model.md (100%) rename {assessments => community/assessments}/projects/openmetrics/STRIDE Threat Modeling.pdf (100%) rename {assessments => community/assessments}/projects/openmetrics/self-assessment.md (100%) rename {assessments => community/assessments}/projects/operator-framework/self-assessment.md (100%) rename {assessments => community/assessments}/projects/pixie/README.md (100%) rename {assessments => community/assessments}/projects/pixie/self-assessment.md (100%) rename {assessments => community/assessments}/projects/rook/Rook High-Level Architecture.png (100%) rename {assessments => community/assessments}/projects/rook/self-assessment.md (100%) rename {assessments => community/assessments}/projects/spiffe-spire/README.md (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image0.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image1.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image2.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image3.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image4.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image5.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image6.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/docs/image7.png (100%) rename {assessments => community/assessments}/projects/spiffe-spire/self-assessment.md (100%) rename {assessments => community/assessments}/projects/thanos/res/thanos-high-level-arch-diagram-receive.png (100%) rename {assessments => community/assessments}/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png (100%) rename {assessments => community/assessments}/projects/thanos/res/workflow1.excalidraw.png (100%) rename {assessments => community/assessments}/projects/thanos/res/workflow2.excalidraw.png (100%) rename {assessments => community/assessments}/projects/thanos/self-assessment.md (100%) rename {assessments => community/assessments}/projects/tikv/self-assessment.md (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/distributed_transaction.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/layer.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/raft_consensus.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/sharding.png (100%) rename {assessments => community/assessments}/projects/tikv/src/imgs/tikv_wholepic.png (100%) rename {assessments => community/assessments}/projects/tikv/tikv-threat-model.md (100%) rename {assessments => community/assessments}/projects/volcano/arch.png (100%) rename {assessments => community/assessments}/projects/volcano/recommendations.md (100%) rename {assessments => community/assessments}/projects/volcano/self-assessment.md (100%) rename {assessments => community/assessments}/projects/volcano/threat-analysis.md (100%) diff --git a/assessments/Open_and_Secure.pdf b/community/assessments/Open_and_Secure.pdf similarity index 100% rename from assessments/Open_and_Secure.pdf rename to community/assessments/Open_and_Secure.pdf diff --git a/assessments/README.md b/community/assessments/README.md similarity index 81% rename from assessments/README.md rename to community/assessments/README.md index e47bba8ac..6c798bfd4 100644 --- a/assessments/README.md +++ b/community/assessments/README.md @@ -1,9 +1,9 @@ -# TAG-Security Security Assessment (TSSA) Process +# TAG-Security Security Assessment (TSSA) Process ## Goals -The [TAG-Security Security Assessment Process](guide) (formerly the security -review process) is designed to accelerate the adoption of cloud native +The [TAG-Security Security Assessment Process](guide) (formerly the security +review process) is designed to accelerate the adoption of cloud native technologies based on the below goals and assumptions: ### 1) Reduce risk across the ecosystem @@ -11,52 +11,54 @@ technologies based on the below goals and assumptions: The primary goal is to minimize the risk of malicious attacks and accidental privacy breaches. This process achieves this in two ways: - * Improve detection and resolution of vulnerabilities through a clear communication +* Improve detection and resolution of vulnerabilities through a clear communication process. - * Enhance domain expertise in participating projects via collaborative assessments. +* Enhance domain expertise in participating projects via collaborative assessments. ### 2) Accelerate adoption of cloud native technologies -Security assessments are essential but time-intensive processes that each company, -organization, and project must perform to meet their unique commitments to users and -stakeholders. In open source, finding security-related information can be overwhelmingly -difficult and time-consuming. The CNCF TAG-Security Security Assessment Process, hereafter -“TSSA” Process, aims to enhance the discovery of security information and streamline +Security assessments are essential but time-intensive processes that each company, +organization, and project must perform to meet their unique commitments to users and +stakeholders. In open source, finding security-related information can be overwhelmingly +difficult and time-consuming. The CNCF TAG-Security Security Assessment Process, hereafter +“TSSA” Process, aims to enhance the discovery of security information and streamline internal and external assessments in multiple ways: - * Consistent documentation to reduce assessment time. - * Baseline of security information to minimize Q&A. - * A clear security profile rubric for organizations to align their risk profiles with +* Consistent documentation to reduce assessment time. +* Baseline of security information to minimize Q&A. +* A clear security profile rubric for organizations to align their risk profiles with the project’s and allocate resources effectively (for assessment and needed project contribution). - * Structured metadata for navigation, grouping, and cross-linking. +* Structured metadata for navigation, grouping, and cross-linking. -This process is expected to raise awareness of how open source projects impact cloud native security; +This process is expected to raise awareness of how open source projects impact cloud native security; however, separate activities may be needed to achieve that purpose using materials generated by the TSSA, known as artifacts or the TSSA package. ## Outcome Each project's TSSA package shall include a description of the project's: + 1. Security design goals. 2. Potential risks in design and configuration implementations. 3. Known limitations including expectations that certain security aspects are managed by upstream or downstream dependencies or complementary software. -5. Next steps to enhance the project's security and/or its contributions to a more secure +4. Next steps to enhance the project's security and/or its contributions to a more secure cloud native ecosystem. -Due to the nature and time frame of the analysis, *the TSSA package is not -meant to subsume the need for a professional security audit of the code*. Implementation-specific -vulnerabilities or improper deployment configurations are not in the scope of a TSSA. -Instead, the TSSA aims to uncover design flaws, enhance the project's security mindset, +Due to the nature and time frame of the analysis, *the TSSA package is not +meant to subsume the need for a professional security audit of the code*. Implementation-specific +vulnerabilities or improper deployment configurations are not in the scope of a TSSA. +Instead, the TSSA aims to uncover design flaws, enhance the project's security mindset, and clearly document its design goals and intended security properties. ### Benefits of a TSSA -Undergoing the TSSA Process is a key step toward eliminating security risks and integrating +Undergoing the TSSA Process is a key step toward eliminating security risks and integrating security as a fundamental aspect of your system over time. Key benefits of TSSA include: + * Establishing a measurable security baseline. * Identifying and analyzing security issues and their risks. * Integrating a culture of security awareness among developers. @@ -66,6 +68,7 @@ Key benefits of TSSA include: A complete TSSA package primarily consists of the following items: + * [Self-assessment](guide/self-assessment.md): A written assessment by the project of the project's current security status. * [Joint-assessment](guide/joint-assessment.md): A hands-on assessment by both the [security @@ -79,15 +82,15 @@ It is considered when performing due diligence. ### Use of a completed TSSA package -A finalized TSSA package may assist the community in contextual project reviews, but -it is not an endorsement or audit of the project’s security. It does not exempt individuals -or organizations from conducting their own due diligence and complying with laws, regulations, +A finalized TSSA package may assist the community in contextual project reviews, but +it is not an endorsement or audit of the project’s security. It does not exempt individuals +or organizations from conducting their own due diligence and complying with laws, regulations, and policies. -Draft assessments contain *unconfirmed* content and require peer review before being -committed to the repository. Draft documents may also contain *speculative* content as +Draft assessments contain *unconfirmed* content and require peer review before being +committed to the repository. Draft documents may also contain *speculative* content as the project lead or security reviewer is performing an assessment. -Draft assessments are *only* for the purpose of preparing final artifacts and are **not** +Draft assessments are *only* for the purpose of preparing final artifacts and are **not** to be used in any other capacity by the community. Final presentation slides and the project's joint assessment @@ -97,8 +100,8 @@ documentation and artifacts from the TSSA. These folders can be found under ## Process -Creating the TSSA package is a collaborative process that benefits both the project -and the community. The primary content is generated by the [project lead](guide/project-lead.md) +Creating the TSSA package is a collaborative process that benefits both the project +and the community. The primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the TAG. diff --git a/assessments/guide/README.md b/community/assessments/guide/README.md similarity index 100% rename from assessments/guide/README.md rename to community/assessments/guide/README.md diff --git a/assessments/guide/joint-assessment.md b/community/assessments/guide/joint-assessment.md similarity index 65% rename from assessments/guide/joint-assessment.md rename to community/assessments/guide/joint-assessment.md index 47f8a3e1f..82f6188f6 100644 --- a/assessments/guide/joint-assessment.md +++ b/community/assessments/guide/joint-assessment.md @@ -244,12 +244,12 @@ section). ### Identity Theft -|Victim Components | Server | Agent | Container on node | Container separate node | -|--|--|--|--|--| -| Victim Server | N/A | Score .11 : Mitigated, server has... | Score .11 : Mitigated, -node has... | Score .11 : Mitigated, node has... | -| Victim Agent | Score 57.5 None, significant issue... | Score. 11 : Mitigated, server -has... | Score .11 : Mitigated, node has... | Score .11 : Mitigated, node has... | +| Victim Components | Server | Agent | Container (same node) | Container (diff node) | +|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Victim Server | N/A: There is only one server | "Mitigated: The server has validation in place to prevent it from signing CSRs for SPIFFE IDs that are not registered to a particular agent. Furthermore, there is validation to prevent an operator from erroneously registering the server's SPIFFE ID. Agents always validate the server's SPIFFE ID when connecting to it. Score: 0.11" | "Mitigated: There is validation to prevent an operator from erroneously registering the server's SPIFFE ID. Score: 0.11" | "Mitigated: There is validation to prevent an operator from erroneously registering the server's SPIFFE ID. Score: 0.11" | +| Victim Agent | "NONE: The server has the signing keys and can issue new identities at will. Score: 57.5" | "Mitigated: The server has validation in place to prevent it from signing CSRs for SPIFFE IDs that are not registered to a particular agent. Furthermore, there is validation to prevent an operator from erroneously registering a SPIFFE ID representing an agent. Score: 0.115" | "ESCAPE: If a container escape and privilege escalation can be performed, it is possible to read the agent's key from memory. Score: 0.63" | "Mitigated: There is validation to prevent an operator from erroneously registering the agent's SPIFFE ID. Score: 0.115" | +| Victim Container (same node) | "NONE: The server has the signing keys and can issue new identities at will. Score: 5.5" | "NONE: Agent controls the keys and certificates for all containers authorized to run on it. Score: 5.5" | "ESCAPE: If a container escape and privilege escalation can be performed, it is possible to read neighboring container's keys from memory. Score: 0.231" | "ESCAPE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil container, then the evil container can obtain a certificate representing the victim container by reading keys from the memory of the local agent. Score: 0.525" | +| Victim Container (diff node) | "NONE: The server has the signing keys and can issue new identities at will. Score: 12.5" | "NONE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil agent, then the evil agent can obtain a certificate representing the container. Score: 12.5 NOTE: This condition only occurs under certain configurations" | "ESCAPE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil container, then the evil container can obtain a certificate representing the victim container by reading keys from the memory of the local agent. Score: 0.525" | "ESCAPE: A container can be authorized to run on multiple nodes. If the container in question is authorized to run on the node with the evil container, then the evil container can obtain a certificate representing the victim container by reading keys from the memory of the local agent. Score: 0.525" | ### Compromise @@ -289,14 +289,18 @@ formal assessment and are no guarantee of the actual security of the project. *If a hands-on assessment was performed, the below format should be used for reporting details* -| | | -| -- | -- | -| Date of assessment | mmddyyyy-mmddyyyy | -| Hands-on reviewers | name, github handle | +### Assessment Details + +| Field | Description | +|---------------------|---------------------------| +| Date of assessment | mmddyyyy-mmddyyyy | +| Hands-on reviewers | name, github handle | + +### Findings -| Finding Number | Finding name | Finding Notes | Reviewer | -| -- | -- | -- | -- | -| | | | +| Finding Number | Finding name | Finding Notes | Reviewer | +|----------------|--------------|---------------|--------------------| +| | | | | ### Hands-on assessment result diff --git a/assessments/guide/joint-readme-template.md b/community/assessments/guide/joint-readme-template.md similarity index 71% rename from assessments/guide/joint-readme-template.md rename to community/assessments/guide/joint-readme-template.md index 302356350..43abdafa2 100644 --- a/assessments/guide/joint-readme-template.md +++ b/community/assessments/guide/joint-readme-template.md @@ -13,11 +13,11 @@ Project team: _list name and github handle as appropriate_ ## Background -*Brief synopsys of the project, problem space, how the project solves the problem, can be pulled from the joint assessment.* +_Brief synopsys of the project, problem space, how the project solves the problem, can be pulled from the joint assessment._ ### Maturity -*Use cases, integrations, etc. bulleted, should be available in the joint assessment.* +_Use cases, integrations, etc. bulleted, should be available in the joint assessment._ ## Summary @@ -31,17 +31,17 @@ _refer to the existing readmes for other projects, such as [SPIFFE/SPIRE](https: ### CNCF recommendations -* -* +* +* ### Project recommendations -* -* +* +* ### Additional recommendations -* -* +* +* -Tracking issue: *link to issue for assessment* +Tracking issue: _link to issue for assessment_ diff --git a/assessments/guide/project-lead.md b/community/assessments/guide/project-lead.md similarity index 96% rename from assessments/guide/project-lead.md rename to community/assessments/guide/project-lead.md index 62c58a031..1868ef01d 100644 --- a/assessments/guide/project-lead.md +++ b/community/assessments/guide/project-lead.md @@ -8,8 +8,8 @@ interest in security. ## Time and effort -The level of effort for the team providing the information is expected to be -around **80 hours** of work. Note, projects that have already performed a +The level of effort for the team providing the information is expected to be +around **80 hours** of work. Note, projects that have already performed a security analysis internally are expected to have much lower requirements. ## Conflict of interest diff --git a/assessments/guide/review-survey.md b/community/assessments/guide/review-survey.md similarity index 100% rename from assessments/guide/review-survey.md rename to community/assessments/guide/review-survey.md diff --git a/assessments/guide/security-reviewer.md b/community/assessments/guide/security-reviewer.md similarity index 97% rename from assessments/guide/security-reviewer.md rename to community/assessments/guide/security-reviewer.md index c5142830e..0f4f14901 100644 --- a/assessments/guide/security-reviewer.md +++ b/community/assessments/guide/security-reviewer.md @@ -93,6 +93,7 @@ or other details in the ticketed request for a project's joint assessment may require additional time. However, analysis is expected to be concluded in a few weeks -- usually 3 weeks. Effort is expected to include and may not be limited to: + * reviewing existing security documentation * reviewing ticketed request for project assessment * analysis of security assertions and assumptions @@ -112,22 +113,24 @@ There is a possibility of a conflict of interest that can arise between a security reviewer and the project being assessed due to the closely-knit nature of the community. Having clear guidelines for conflict of interest situations are important to prevent: -- Individuals from intentionally or unintentionally promoting their own + +* Individuals from intentionally or unintentionally promoting their own company's project -- TAG-Security chairs and review leads intentionally or +* TAG-Security chairs and review leads intentionally or unintentionally limiting the participation of an individual unfairly by asserting conflict of interest -- Security reviews being stalled while groups belabor on who should be allowed +* Security reviews being stalled while groups belabor on who should be allowed to participate The conflicts of interest lie on a spectrum, and are classified into hard and soft conflicts: + * A hard conflict makes a reviewer ineligible to assess a project. * A soft conflict allows a reviewer to assess a project, but not as a [project lead](./project-lead.md). * It is not unusual for reviewers to have soft conflicts. The diversity of reviewers that are familiar with a project can provide a deeper insight -together with a fresh set of eyes and is beneficial to the success of a +together with a fresh set of eyes and is beneficial to the success of a TAG-Security Security Assessment. All reviewers must provide a conflict declaration on the tracking issue to @@ -135,7 +138,8 @@ indicate which hard or soft conflicts do, or do not exist when they volunteer to be a reviewer. This is done by placing a comment on the issue associated with the joint assessment using the table provided below. -#### Conflict of interest statement template: +### Conflict of interest statement template + | Hard Conflicts | Y/N | | :------------- | :-: | | Reviewer is a currently a maintainer of the project | | @@ -143,7 +147,6 @@ with the joint assessment using the table provided below. | Reviewer is paid to work on the project | | | Reviewer has significant financial interest directly ties to the success of the project | | - | Soft Conflicts | Y/N | | :------------- | :-: | | Reviewer belongs to the same company/organization of the project, but does not work on the project | | @@ -155,13 +158,14 @@ with the joint assessment using the table provided below. Should a conflict arise during the time of the assessment, reviewers should notify the lead security reviewer when they become aware of the potential conflict, -so the new conflict may be consulted with the Security Assessment Facilitator +so the new conflict may be consulted with the Security Assessment Facilitator and/or chairs. ## Asserting team readiness to conduct a balanced assessment The lead security reviewer has the responsibility of ensuring a balanced assessment, and as part of that before kicking off the assessment must: + * Check that all reviewers have conflict-of-interest declarations, * Provide their own declaration of any potential conflict-of-interest (or lack thereof), @@ -188,4 +192,3 @@ participating in the assessment for which their hard conflict exists. Depending two chairs and the Security Assessment Facilitator may determine if the hard conflict may be waived. Should this occur, the decision's justification will be documented to ensure it clearly depicts the circumstances for granting the waiver. - diff --git a/assessments/guide/self-assessment.md b/community/assessments/guide/self-assessment.md similarity index 92% rename from assessments/guide/self-assessment.md rename to community/assessments/guide/self-assessment.md index 8a7bb5109..e82e940c1 100644 --- a/assessments/guide/self-assessment.md +++ b/community/assessments/guide/self-assessment.md @@ -1,17 +1,18 @@ # Self-assessment + The Self-assessment is the initial document for projects to begin thinking about the security of the project, determining gaps in their security, and preparing any security documentation for their users. This document is ideal for projects currently in the CNCF **sandbox** as well as projects that are looking to receive a joint assessment and currently in CNCF **incubation**. -For a detailed guide with step-by-step discussion and examples, check out the free -Express Learning course provided by Linux Foundation Training & Certification: +For a detailed guide with step-by-step discussion and examples, check out the free +Express Learning course provided by Linux Foundation Training & Certification: [Security Assessments for Open Source Projects](https://training.linuxfoundation.org/express-learning/security-self-assessments-for-open-source-projects-lfel1005/). -# Self-assessment outline +## Self-assessment outline -## Table of contents +### Table of contents * [Metadata](#metadata) * [Security links](#security-links) @@ -28,7 +29,7 @@ Express Learning course provided by Linux Foundation Training & Certification: * [Security issue resolution](#security-issue-resolution) * [Appendix](#appendix) -## Metadata +### Metadata A table at the top for quick reference information, later used for indexing. @@ -40,28 +41,31 @@ A table at the top for quick reference information, later used for indexing. | Languages | Language(s) the project is written in. | | SBOM | Software bill of materials. Link to the libraries, packages, versions used by the project, may also include direct dependencies. | -### Security links +#### Security links + Provide the list of links to existing security documentation for the project. You may use the table below as an example: | Doc | url | | -- | -- | -| Security file | https://my.security.file | -| Default and optional configs | https://example.org/config | +| Security file | | +| Default and optional configs | | + -## Overview +### Overview One or two sentences describing the project -- something memorable and accurate that distinguishes your project to quickly orient readers who may be assessing multiple projects. -### Background +#### Background Provide information for reviewers who may not be familiar with your project's domain or problem area. -### Actors -These are the individual parts of your system that interact to provide the +#### Actors + +These are the individual parts of your system that interact to provide the desired functionality. Actors only need to be separate, if they are isolated in some way. For example, if a service has a database and a front-end API, but if a vulnerability in either one would compromise the other, then the distinction @@ -70,30 +74,33 @@ between the database and front-end is not relevant. The means by which actors are isolated should also be described, as this is often what prevents an attacker from moving laterally after a compromise. -### Actions +#### Actions + These are the steps that a project performs in order to provide some service or functionality. These steps are performed by different actors in the system. Note, that an action need not be overly descriptive at the function call level. -It is sufficient to focus on the security checks performed, use of sensitive +It is sufficient to focus on the security checks performed, use of sensitive data, and interactions between actors to perform an action. -For example, the access server receives the client request, checks the format, -validates that the request corresponds to a file the client is authorized to -access, and then returns a token to the client. The client then transmits that +For example, the access server receives the client request, checks the format, +validates that the request corresponds to a file the client is authorized to +access, and then returns a token to the client. The client then transmits that token to the file server, which, after confirming its validity, returns the file. -### Goals +#### Goals + The intended goals of the projects including the security guarantees the project is meant to provide (e.g., Flibble only allows parties with an authorization key to change data it stores). -### Non-goals +#### Non-goals + Non-goals that a reasonable reader of the project’s literature could believe may be in scope (e.g., Flibble does not intend to stop a party with a key from storing an arbitrarily large amount of data, possibly incurring financial cost or overwhelming the servers) -## Self-assessment use +### Self-assessment use This self-assessment is created by the [project] team to perform an internal analysis of the project's security. It is not intended to provide a security audit of [project], or @@ -109,7 +116,7 @@ to assist in a joint-assessment, necessary for projects under incubation. Taken together, this document and the joint-assessment serve as a cornerstone for if and when [project] seeks graduation and is preparing for a security audit. -## Security functions and features +### Security functions and features * Critical. A listing critical security components of the project with a brief description of their importance. It is recommended these be used for threat modeling. @@ -121,12 +128,12 @@ for changes to the project. the project, such as deployment configurations, settings, etc. These should also be included in threat modeling. -## Project compliance +### Project compliance * Compliance. List any security standards or sub-sections the project is already documented as meeting (PCI-DSS, COBIT, ISO, GDPR, etc.). -## Secure development practices +### Secure development practices * Development Pipeline. A description of the testing and assessment processes that the software undergoes as it is developed and built. Be sure to include specific @@ -145,7 +152,7 @@ virtualization for 80% of cloud users. So, our small number of "users" actually represents very wide usage across the ecosystem since every virtual instance uses Flibber encryption by default.) -## Security issue resolution +### Security issue resolution * Responsible Disclosures Process. A outline of the project's responsible disclosures process should suspected security issues, incidents, or @@ -157,12 +164,12 @@ outline should discuss communication methods/strategies. confirmation, notification of vulnerability or security incident, and patching/update availability. -## Appendix +### Appendix * Known Issues Over Time. List or summarize statistics of past vulnerabilities with links. If none have been reported, provide data, if any, about your track record in catching issues in code review or automated testing. -* [CII Best Practices](https://www.coreinfrastructure.org/programs/best-practices-program/). +* [Open SSF Best Practices](https://www.bestpractices.dev/en). Best Practices. A brief discussion of where the project is at with respect to CII best practices and what it would need to achieve the badge. diff --git a/assessments/intake-process.md b/community/assessments/intake-process.md similarity index 96% rename from assessments/intake-process.md rename to community/assessments/intake-process.md index 81da8dee4..b486d9992 100644 --- a/assessments/intake-process.md +++ b/community/assessments/intake-process.md @@ -8,7 +8,7 @@ cloud native ecosystem and helping cloud native projects succeed. The following process describes how projects are prioritized for security assessments. -# Authority +## Authority Team members are welcome to submit PRs to streamline this process when priorities are clear based on the criteria below. As needed, specific leaders @@ -26,14 +26,14 @@ coordinate the decision-making process. team, resolving questions/concerns about prioritization, and serving as an escalation point for projects or TAG members, if needed. -# Pre-conditions +## Pre-conditions * The project is either a CNCF project OR an assertion that the project is cloud native (any objection must be resolved before an assessment would be considered) * The project has identified a project lead and has a written self-assessment -# Intake priorities +## Intake priorities The following priorities are high-level guidance for how to coordinate the work of the group when there are multiple projects that are ready for an @@ -65,14 +65,14 @@ Security Assessment Facilitator may remove the project from the queue with notification to the co-chairs. The Security Assessment Facilitator will update the corresponding issue, prior to closing the project's request. -# Updates and renewal +## Updates and renewal The Security Assessment team will aim to review assessed projects annually, focusing primarily on any issues or concerns raised in previous assessments, addressing new functionality that affects risk profile of the project, and any issue that may have been flagged about the project. -# Managing the assessment queue +## Managing the assessment queue Note: this section describes the current process. Anyone is welcome to open a github issue or submit a pull request suggesting process improvements @@ -82,7 +82,7 @@ is clearly communicated to the group (typically by adding a note to the relevant github issue). Each assessment is represented as a github issue, where the description field -follows a [template](/.github/ISSUE_TEMPLATE/joint-assessment.md) +follows a [template](.github/ISSUE_TEMPLATE/joint-review.md) The queue is visible through [github project](https://github.com/cncf/tag-security/projects/2) diff --git a/assessments/projects/README.md b/community/assessments/projects/README.md similarity index 100% rename from assessments/projects/README.md rename to community/assessments/projects/README.md diff --git a/assessments/projects/antrea/self-assessment.md b/community/assessments/projects/antrea/self-assessment.md similarity index 100% rename from assessments/projects/antrea/self-assessment.md rename to community/assessments/projects/antrea/self-assessment.md diff --git a/assessments/projects/buildpacks/README.md b/community/assessments/projects/buildpacks/README.md similarity index 100% rename from assessments/projects/buildpacks/README.md rename to community/assessments/projects/buildpacks/README.md diff --git a/assessments/projects/buildpacks/self-assessment.md b/community/assessments/projects/buildpacks/self-assessment.md similarity index 100% rename from assessments/projects/buildpacks/self-assessment.md rename to community/assessments/projects/buildpacks/self-assessment.md diff --git a/assessments/projects/cert-manager/adalogics_diagram.png b/community/assessments/projects/cert-manager/adalogics_diagram.png similarity index 100% rename from assessments/projects/cert-manager/adalogics_diagram.png rename to community/assessments/projects/cert-manager/adalogics_diagram.png diff --git a/assessments/projects/cert-manager/self-assessment.md b/community/assessments/projects/cert-manager/self-assessment.md similarity index 100% rename from assessments/projects/cert-manager/self-assessment.md rename to community/assessments/projects/cert-manager/self-assessment.md diff --git a/assessments/projects/cloudevents/images/apex-logo.png b/community/assessments/projects/cloudevents/images/apex-logo.png similarity index 100% rename from assessments/projects/cloudevents/images/apex-logo.png rename to community/assessments/projects/cloudevents/images/apex-logo.png diff --git a/assessments/projects/cloudevents/images/async-api-logo.png b/community/assessments/projects/cloudevents/images/async-api-logo.png similarity index 100% rename from assessments/projects/cloudevents/images/async-api-logo.png rename to community/assessments/projects/cloudevents/images/async-api-logo.png diff --git a/assessments/projects/cloudevents/images/cloudevents-actions.png b/community/assessments/projects/cloudevents/images/cloudevents-actions.png similarity index 100% rename from assessments/projects/cloudevents/images/cloudevents-actions.png rename to community/assessments/projects/cloudevents/images/cloudevents-actions.png diff --git a/assessments/projects/cloudevents/images/cloudevents-logo.png b/community/assessments/projects/cloudevents/images/cloudevents-logo.png similarity index 100% rename from assessments/projects/cloudevents/images/cloudevents-logo.png rename to community/assessments/projects/cloudevents/images/cloudevents-logo.png diff --git a/assessments/projects/cloudevents/images/opentelemetry-logo.svg b/community/assessments/projects/cloudevents/images/opentelemetry-logo.svg similarity index 100% rename from assessments/projects/cloudevents/images/opentelemetry-logo.svg rename to community/assessments/projects/cloudevents/images/opentelemetry-logo.svg diff --git a/assessments/projects/cloudevents/images/soap-evenlope.png b/community/assessments/projects/cloudevents/images/soap-evenlope.png similarity index 100% rename from assessments/projects/cloudevents/images/soap-evenlope.png rename to community/assessments/projects/cloudevents/images/soap-evenlope.png diff --git a/assessments/projects/cloudevents/images/soap-webservice.png b/community/assessments/projects/cloudevents/images/soap-webservice.png similarity index 100% rename from assessments/projects/cloudevents/images/soap-webservice.png rename to community/assessments/projects/cloudevents/images/soap-webservice.png diff --git a/assessments/projects/cloudevents/self-assessment.md b/community/assessments/projects/cloudevents/self-assessment.md similarity index 100% rename from assessments/projects/cloudevents/self-assessment.md rename to community/assessments/projects/cloudevents/self-assessment.md diff --git a/assessments/projects/cni/docs/CNI-config.png b/community/assessments/projects/cni/docs/CNI-config.png similarity index 100% rename from assessments/projects/cni/docs/CNI-config.png rename to community/assessments/projects/cni/docs/CNI-config.png diff --git a/assessments/projects/cni/docs/CNI-role.png b/community/assessments/projects/cni/docs/CNI-role.png similarity index 100% rename from assessments/projects/cni/docs/CNI-role.png rename to community/assessments/projects/cni/docs/CNI-role.png diff --git a/assessments/projects/cni/docs/lightweight-threat-assessment.md b/community/assessments/projects/cni/docs/lightweight-threat-assessment.md similarity index 100% rename from assessments/projects/cni/docs/lightweight-threat-assessment.md rename to community/assessments/projects/cni/docs/lightweight-threat-assessment.md diff --git a/assessments/projects/cni/self-assessment.md b/community/assessments/projects/cni/self-assessment.md similarity index 100% rename from assessments/projects/cni/self-assessment.md rename to community/assessments/projects/cni/self-assessment.md diff --git a/assessments/projects/contour/self-assessment.md b/community/assessments/projects/contour/self-assessment.md similarity index 100% rename from assessments/projects/contour/self-assessment.md rename to community/assessments/projects/contour/self-assessment.md diff --git a/assessments/projects/coredns/self-assessment.md b/community/assessments/projects/coredns/self-assessment.md similarity index 100% rename from assessments/projects/coredns/self-assessment.md rename to community/assessments/projects/coredns/self-assessment.md diff --git a/assessments/projects/cortex/self-assessment.md b/community/assessments/projects/cortex/self-assessment.md similarity index 100% rename from assessments/projects/cortex/self-assessment.md rename to community/assessments/projects/cortex/self-assessment.md diff --git a/assessments/projects/cortex/threat-model.md b/community/assessments/projects/cortex/threat-model.md similarity index 100% rename from assessments/projects/cortex/threat-model.md rename to community/assessments/projects/cortex/threat-model.md diff --git a/assessments/projects/cubefs/self-assessment.md b/community/assessments/projects/cubefs/self-assessment.md similarity index 100% rename from assessments/projects/cubefs/self-assessment.md rename to community/assessments/projects/cubefs/self-assessment.md diff --git a/assessments/projects/custodian/c7n_attacks.drawio b/community/assessments/projects/custodian/c7n_attacks.drawio similarity index 100% rename from assessments/projects/custodian/c7n_attacks.drawio rename to community/assessments/projects/custodian/c7n_attacks.drawio diff --git a/assessments/projects/custodian/c7n_attacks.png b/community/assessments/projects/custodian/c7n_attacks.png similarity index 100% rename from assessments/projects/custodian/c7n_attacks.png rename to community/assessments/projects/custodian/c7n_attacks.png diff --git a/assessments/projects/custodian/c7n_threat_assessment.png b/community/assessments/projects/custodian/c7n_threat_assessment.png similarity index 100% rename from assessments/projects/custodian/c7n_threat_assessment.png rename to community/assessments/projects/custodian/c7n_threat_assessment.png diff --git a/assessments/projects/custodian/joint-review.md b/community/assessments/projects/custodian/joint-review.md similarity index 100% rename from assessments/projects/custodian/joint-review.md rename to community/assessments/projects/custodian/joint-review.md diff --git a/assessments/projects/emissary-ingress/image-3.png b/community/assessments/projects/emissary-ingress/image-3.png similarity index 100% rename from assessments/projects/emissary-ingress/image-3.png rename to community/assessments/projects/emissary-ingress/image-3.png diff --git a/assessments/projects/emissary-ingress/self-assessment.md b/community/assessments/projects/emissary-ingress/self-assessment.md similarity index 100% rename from assessments/projects/emissary-ingress/self-assessment.md rename to community/assessments/projects/emissary-ingress/self-assessment.md diff --git a/assessments/projects/external-secrets/assets/component-overview.png b/community/assessments/projects/external-secrets/assets/component-overview.png similarity index 100% rename from assessments/projects/external-secrets/assets/component-overview.png rename to community/assessments/projects/external-secrets/assets/component-overview.png diff --git a/assessments/projects/external-secrets/assets/overview.png b/community/assessments/projects/external-secrets/assets/overview.png similarity index 100% rename from assessments/projects/external-secrets/assets/overview.png rename to community/assessments/projects/external-secrets/assets/overview.png diff --git a/assessments/projects/external-secrets/docs/stride-threat-model.md b/community/assessments/projects/external-secrets/docs/stride-threat-model.md similarity index 100% rename from assessments/projects/external-secrets/docs/stride-threat-model.md rename to community/assessments/projects/external-secrets/docs/stride-threat-model.md diff --git a/assessments/projects/external-secrets/self-assessment.md b/community/assessments/projects/external-secrets/self-assessment.md similarity index 100% rename from assessments/projects/external-secrets/self-assessment.md rename to community/assessments/projects/external-secrets/self-assessment.md diff --git a/assessments/projects/flatcar/joint-assessment.md b/community/assessments/projects/flatcar/joint-assessment.md similarity index 100% rename from assessments/projects/flatcar/joint-assessment.md rename to community/assessments/projects/flatcar/joint-assessment.md diff --git a/assessments/projects/flatcar/self-assessment.md b/community/assessments/projects/flatcar/self-assessment.md similarity index 100% rename from assessments/projects/flatcar/self-assessment.md rename to community/assessments/projects/flatcar/self-assessment.md diff --git a/assessments/projects/fluentd/fluent-bit/README.md b/community/assessments/projects/fluentd/fluent-bit/README.md similarity index 100% rename from assessments/projects/fluentd/fluent-bit/README.md rename to community/assessments/projects/fluentd/fluent-bit/README.md diff --git a/assessments/projects/fluentd/fluentd/self-assessment.md b/community/assessments/projects/fluentd/fluentd/self-assessment.md similarity index 100% rename from assessments/projects/fluentd/fluentd/self-assessment.md rename to community/assessments/projects/fluentd/fluentd/self-assessment.md diff --git a/assessments/projects/fluentd/plugins/README.md b/community/assessments/projects/fluentd/plugins/README.md similarity index 100% rename from assessments/projects/fluentd/plugins/README.md rename to community/assessments/projects/fluentd/plugins/README.md diff --git a/assessments/projects/harbor/README.md b/community/assessments/projects/harbor/README.md similarity index 100% rename from assessments/projects/harbor/README.md rename to community/assessments/projects/harbor/README.md diff --git a/assessments/projects/harbor/docs/Harbor-architecture.png b/community/assessments/projects/harbor/docs/Harbor-architecture.png similarity index 100% rename from assessments/projects/harbor/docs/Harbor-architecture.png rename to community/assessments/projects/harbor/docs/Harbor-architecture.png diff --git a/assessments/projects/harbor/docs/Harbor-history.png b/community/assessments/projects/harbor/docs/Harbor-history.png similarity index 100% rename from assessments/projects/harbor/docs/Harbor-history.png rename to community/assessments/projects/harbor/docs/Harbor-history.png diff --git a/assessments/projects/harbor/docs/blast-radius-and-recovery.png b/community/assessments/projects/harbor/docs/blast-radius-and-recovery.png similarity index 100% rename from assessments/projects/harbor/docs/blast-radius-and-recovery.png rename to community/assessments/projects/harbor/docs/blast-radius-and-recovery.png diff --git a/assessments/projects/harbor/self-assessment.md b/community/assessments/projects/harbor/self-assessment.md similarity index 100% rename from assessments/projects/harbor/self-assessment.md rename to community/assessments/projects/harbor/self-assessment.md diff --git a/assessments/projects/in-toto/README.md b/community/assessments/projects/in-toto/README.md similarity index 100% rename from assessments/projects/in-toto/README.md rename to community/assessments/projects/in-toto/README.md diff --git a/assessments/projects/in-toto/debian-rebuilder.png b/community/assessments/projects/in-toto/debian-rebuilder.png similarity index 100% rename from assessments/projects/in-toto/debian-rebuilder.png rename to community/assessments/projects/in-toto/debian-rebuilder.png diff --git a/assessments/projects/in-toto/kubesec.png b/community/assessments/projects/in-toto/kubesec.png similarity index 100% rename from assessments/projects/in-toto/kubesec.png rename to community/assessments/projects/in-toto/kubesec.png diff --git a/assessments/projects/in-toto/self-assessment.md b/community/assessments/projects/in-toto/self-assessment.md similarity index 100% rename from assessments/projects/in-toto/self-assessment.md rename to community/assessments/projects/in-toto/self-assessment.md diff --git a/assessments/projects/jaeger/self-assessment.md b/community/assessments/projects/jaeger/self-assessment.md similarity index 100% rename from assessments/projects/jaeger/self-assessment.md rename to community/assessments/projects/jaeger/self-assessment.md diff --git a/assessments/projects/karmada/docs/Karmada-architecture.png b/community/assessments/projects/karmada/docs/Karmada-architecture.png similarity index 100% rename from assessments/projects/karmada/docs/Karmada-architecture.png rename to community/assessments/projects/karmada/docs/Karmada-architecture.png diff --git a/assessments/projects/karmada/docs/Karmada-components.png b/community/assessments/projects/karmada/docs/Karmada-components.png similarity index 100% rename from assessments/projects/karmada/docs/Karmada-components.png rename to community/assessments/projects/karmada/docs/Karmada-components.png diff --git a/assessments/projects/karmada/self-assessment.md b/community/assessments/projects/karmada/self-assessment.md similarity index 100% rename from assessments/projects/karmada/self-assessment.md rename to community/assessments/projects/karmada/self-assessment.md diff --git a/assessments/projects/karmada/threatmodeling.md b/community/assessments/projects/karmada/threatmodeling.md similarity index 100% rename from assessments/projects/karmada/threatmodeling.md rename to community/assessments/projects/karmada/threatmodeling.md diff --git a/assessments/projects/keycloak/README.md b/community/assessments/projects/keycloak/README.md similarity index 100% rename from assessments/projects/keycloak/README.md rename to community/assessments/projects/keycloak/README.md diff --git a/assessments/projects/keycloak/docs/image1.png b/community/assessments/projects/keycloak/docs/image1.png similarity index 100% rename from assessments/projects/keycloak/docs/image1.png rename to community/assessments/projects/keycloak/docs/image1.png diff --git a/assessments/projects/keycloak/docs/image10.png b/community/assessments/projects/keycloak/docs/image10.png similarity index 100% rename from assessments/projects/keycloak/docs/image10.png rename to community/assessments/projects/keycloak/docs/image10.png diff --git a/assessments/projects/keycloak/docs/image11.png b/community/assessments/projects/keycloak/docs/image11.png similarity index 100% rename from assessments/projects/keycloak/docs/image11.png rename to community/assessments/projects/keycloak/docs/image11.png diff --git a/assessments/projects/keycloak/docs/image2.png b/community/assessments/projects/keycloak/docs/image2.png similarity index 100% rename from assessments/projects/keycloak/docs/image2.png rename to community/assessments/projects/keycloak/docs/image2.png diff --git a/assessments/projects/keycloak/docs/image3.png b/community/assessments/projects/keycloak/docs/image3.png similarity index 100% rename from assessments/projects/keycloak/docs/image3.png rename to community/assessments/projects/keycloak/docs/image3.png diff --git a/assessments/projects/keycloak/docs/image4.png b/community/assessments/projects/keycloak/docs/image4.png similarity index 100% rename from assessments/projects/keycloak/docs/image4.png rename to community/assessments/projects/keycloak/docs/image4.png diff --git a/assessments/projects/keycloak/docs/image5.png b/community/assessments/projects/keycloak/docs/image5.png similarity index 100% rename from assessments/projects/keycloak/docs/image5.png rename to community/assessments/projects/keycloak/docs/image5.png diff --git a/assessments/projects/keycloak/docs/image6.png b/community/assessments/projects/keycloak/docs/image6.png similarity index 100% rename from assessments/projects/keycloak/docs/image6.png rename to community/assessments/projects/keycloak/docs/image6.png diff --git a/assessments/projects/keycloak/docs/image7.png b/community/assessments/projects/keycloak/docs/image7.png similarity index 100% rename from assessments/projects/keycloak/docs/image7.png rename to community/assessments/projects/keycloak/docs/image7.png diff --git a/assessments/projects/keycloak/docs/image8.png b/community/assessments/projects/keycloak/docs/image8.png similarity index 100% rename from assessments/projects/keycloak/docs/image8.png rename to community/assessments/projects/keycloak/docs/image8.png diff --git a/assessments/projects/keycloak/docs/image9.png b/community/assessments/projects/keycloak/docs/image9.png similarity index 100% rename from assessments/projects/keycloak/docs/image9.png rename to community/assessments/projects/keycloak/docs/image9.png diff --git a/assessments/projects/keycloak/self-assessment.md b/community/assessments/projects/keycloak/self-assessment.md similarity index 100% rename from assessments/projects/keycloak/self-assessment.md rename to community/assessments/projects/keycloak/self-assessment.md diff --git a/assessments/projects/knative/knative_dia.png b/community/assessments/projects/knative/knative_dia.png similarity index 100% rename from assessments/projects/knative/knative_dia.png rename to community/assessments/projects/knative/knative_dia.png diff --git a/assessments/projects/knative/recommendations.md b/community/assessments/projects/knative/recommendations.md similarity index 100% rename from assessments/projects/knative/recommendations.md rename to community/assessments/projects/knative/recommendations.md diff --git a/assessments/projects/knative/self-assessment.md b/community/assessments/projects/knative/self-assessment.md similarity index 100% rename from assessments/projects/knative/self-assessment.md rename to community/assessments/projects/knative/self-assessment.md diff --git a/assessments/projects/kyverno/README.md b/community/assessments/projects/kyverno/README.md similarity index 100% rename from assessments/projects/kyverno/README.md rename to community/assessments/projects/kyverno/README.md diff --git a/assessments/projects/kyverno/images/kyverno-architecture.png b/community/assessments/projects/kyverno/images/kyverno-architecture.png similarity index 100% rename from assessments/projects/kyverno/images/kyverno-architecture.png rename to community/assessments/projects/kyverno/images/kyverno-architecture.png diff --git a/assessments/projects/kyverno/images/kyverno-physical-architecture.png b/community/assessments/projects/kyverno/images/kyverno-physical-architecture.png similarity index 100% rename from assessments/projects/kyverno/images/kyverno-physical-architecture.png rename to community/assessments/projects/kyverno/images/kyverno-physical-architecture.png diff --git a/assessments/projects/kyverno/self-assessment.md b/community/assessments/projects/kyverno/self-assessment.md similarity index 100% rename from assessments/projects/kyverno/self-assessment.md rename to community/assessments/projects/kyverno/self-assessment.md diff --git a/assessments/projects/linkerd/self-assessment.md b/community/assessments/projects/linkerd/self-assessment.md similarity index 100% rename from assessments/projects/linkerd/self-assessment.md rename to community/assessments/projects/linkerd/self-assessment.md diff --git a/assessments/projects/longhorn/self-assessment.md b/community/assessments/projects/longhorn/self-assessment.md similarity index 100% rename from assessments/projects/longhorn/self-assessment.md rename to community/assessments/projects/longhorn/self-assessment.md diff --git a/assessments/projects/longhorn/threat-model.md b/community/assessments/projects/longhorn/threat-model.md similarity index 100% rename from assessments/projects/longhorn/threat-model.md rename to community/assessments/projects/longhorn/threat-model.md diff --git a/assessments/projects/nats/doc/threat-modeling.md b/community/assessments/projects/nats/doc/threat-modeling.md similarity index 100% rename from assessments/projects/nats/doc/threat-modeling.md rename to community/assessments/projects/nats/doc/threat-modeling.md diff --git a/assessments/projects/nats/images/NATS_Figure_1_Image.jpg b/community/assessments/projects/nats/images/NATS_Figure_1_Image.jpg similarity index 100% rename from assessments/projects/nats/images/NATS_Figure_1_Image.jpg rename to community/assessments/projects/nats/images/NATS_Figure_1_Image.jpg diff --git a/assessments/projects/nats/self-assessment.md b/community/assessments/projects/nats/self-assessment.md similarity index 100% rename from assessments/projects/nats/self-assessment.md rename to community/assessments/projects/nats/self-assessment.md diff --git a/assessments/projects/opa/README.md b/community/assessments/projects/opa/README.md similarity index 100% rename from assessments/projects/opa/README.md rename to community/assessments/projects/opa/README.md diff --git a/assessments/projects/opa/docs/document_model.png b/community/assessments/projects/opa/docs/document_model.png similarity index 100% rename from assessments/projects/opa/docs/document_model.png rename to community/assessments/projects/opa/docs/document_model.png diff --git a/assessments/projects/opa/docs/request_response.png b/community/assessments/projects/opa/docs/request_response.png similarity index 100% rename from assessments/projects/opa/docs/request_response.png rename to community/assessments/projects/opa/docs/request_response.png diff --git a/assessments/projects/opa/self-assessment.md b/community/assessments/projects/opa/self-assessment.md similarity index 100% rename from assessments/projects/opa/self-assessment.md rename to community/assessments/projects/opa/self-assessment.md diff --git a/assessments/projects/open-telemetry/self-assessment.md b/community/assessments/projects/open-telemetry/self-assessment.md similarity index 100% rename from assessments/projects/open-telemetry/self-assessment.md rename to community/assessments/projects/open-telemetry/self-assessment.md diff --git a/assessments/projects/openfga/OpenFGA Playground.png b/community/assessments/projects/openfga/OpenFGA Playground.png similarity index 100% rename from assessments/projects/openfga/OpenFGA Playground.png rename to community/assessments/projects/openfga/OpenFGA Playground.png diff --git a/assessments/projects/openfga/self-assessment.md b/community/assessments/projects/openfga/self-assessment.md similarity index 100% rename from assessments/projects/openfga/self-assessment.md rename to community/assessments/projects/openfga/self-assessment.md diff --git a/assessments/projects/openkruise/self-assessment.md b/community/assessments/projects/openkruise/self-assessment.md similarity index 100% rename from assessments/projects/openkruise/self-assessment.md rename to community/assessments/projects/openkruise/self-assessment.md diff --git a/assessments/projects/openkruise/threat-model.md b/community/assessments/projects/openkruise/threat-model.md similarity index 100% rename from assessments/projects/openkruise/threat-model.md rename to community/assessments/projects/openkruise/threat-model.md diff --git a/assessments/projects/openmetrics/STRIDE Threat Modeling.pdf b/community/assessments/projects/openmetrics/STRIDE Threat Modeling.pdf similarity index 100% rename from assessments/projects/openmetrics/STRIDE Threat Modeling.pdf rename to community/assessments/projects/openmetrics/STRIDE Threat Modeling.pdf diff --git a/assessments/projects/openmetrics/self-assessment.md b/community/assessments/projects/openmetrics/self-assessment.md similarity index 100% rename from assessments/projects/openmetrics/self-assessment.md rename to community/assessments/projects/openmetrics/self-assessment.md diff --git a/assessments/projects/operator-framework/self-assessment.md b/community/assessments/projects/operator-framework/self-assessment.md similarity index 100% rename from assessments/projects/operator-framework/self-assessment.md rename to community/assessments/projects/operator-framework/self-assessment.md diff --git a/assessments/projects/pixie/README.md b/community/assessments/projects/pixie/README.md similarity index 100% rename from assessments/projects/pixie/README.md rename to community/assessments/projects/pixie/README.md diff --git a/assessments/projects/pixie/self-assessment.md b/community/assessments/projects/pixie/self-assessment.md similarity index 100% rename from assessments/projects/pixie/self-assessment.md rename to community/assessments/projects/pixie/self-assessment.md diff --git a/assessments/projects/rook/Rook High-Level Architecture.png b/community/assessments/projects/rook/Rook High-Level Architecture.png similarity index 100% rename from assessments/projects/rook/Rook High-Level Architecture.png rename to community/assessments/projects/rook/Rook High-Level Architecture.png diff --git a/assessments/projects/rook/self-assessment.md b/community/assessments/projects/rook/self-assessment.md similarity index 100% rename from assessments/projects/rook/self-assessment.md rename to community/assessments/projects/rook/self-assessment.md diff --git a/assessments/projects/spiffe-spire/README.md b/community/assessments/projects/spiffe-spire/README.md similarity index 100% rename from assessments/projects/spiffe-spire/README.md rename to community/assessments/projects/spiffe-spire/README.md diff --git a/assessments/projects/spiffe-spire/docs/image0.png b/community/assessments/projects/spiffe-spire/docs/image0.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image0.png rename to community/assessments/projects/spiffe-spire/docs/image0.png diff --git a/assessments/projects/spiffe-spire/docs/image1.png b/community/assessments/projects/spiffe-spire/docs/image1.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image1.png rename to community/assessments/projects/spiffe-spire/docs/image1.png diff --git a/assessments/projects/spiffe-spire/docs/image2.png b/community/assessments/projects/spiffe-spire/docs/image2.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image2.png rename to community/assessments/projects/spiffe-spire/docs/image2.png diff --git a/assessments/projects/spiffe-spire/docs/image3.png b/community/assessments/projects/spiffe-spire/docs/image3.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image3.png rename to community/assessments/projects/spiffe-spire/docs/image3.png diff --git a/assessments/projects/spiffe-spire/docs/image4.png b/community/assessments/projects/spiffe-spire/docs/image4.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image4.png rename to community/assessments/projects/spiffe-spire/docs/image4.png diff --git a/assessments/projects/spiffe-spire/docs/image5.png b/community/assessments/projects/spiffe-spire/docs/image5.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image5.png rename to community/assessments/projects/spiffe-spire/docs/image5.png diff --git a/assessments/projects/spiffe-spire/docs/image6.png b/community/assessments/projects/spiffe-spire/docs/image6.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image6.png rename to community/assessments/projects/spiffe-spire/docs/image6.png diff --git a/assessments/projects/spiffe-spire/docs/image7.png b/community/assessments/projects/spiffe-spire/docs/image7.png similarity index 100% rename from assessments/projects/spiffe-spire/docs/image7.png rename to community/assessments/projects/spiffe-spire/docs/image7.png diff --git a/assessments/projects/spiffe-spire/self-assessment.md b/community/assessments/projects/spiffe-spire/self-assessment.md similarity index 100% rename from assessments/projects/spiffe-spire/self-assessment.md rename to community/assessments/projects/spiffe-spire/self-assessment.md diff --git a/assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png b/community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png similarity index 100% rename from assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png rename to community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-receive.png diff --git a/assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png b/community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png similarity index 100% rename from assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png rename to community/assessments/projects/thanos/res/thanos-high-level-arch-diagram-sidecar.png diff --git a/assessments/projects/thanos/res/workflow1.excalidraw.png b/community/assessments/projects/thanos/res/workflow1.excalidraw.png similarity index 100% rename from assessments/projects/thanos/res/workflow1.excalidraw.png rename to community/assessments/projects/thanos/res/workflow1.excalidraw.png diff --git a/assessments/projects/thanos/res/workflow2.excalidraw.png b/community/assessments/projects/thanos/res/workflow2.excalidraw.png similarity index 100% rename from assessments/projects/thanos/res/workflow2.excalidraw.png rename to community/assessments/projects/thanos/res/workflow2.excalidraw.png diff --git a/assessments/projects/thanos/self-assessment.md b/community/assessments/projects/thanos/self-assessment.md similarity index 100% rename from assessments/projects/thanos/self-assessment.md rename to community/assessments/projects/thanos/self-assessment.md diff --git a/assessments/projects/tikv/self-assessment.md b/community/assessments/projects/tikv/self-assessment.md similarity index 100% rename from assessments/projects/tikv/self-assessment.md rename to community/assessments/projects/tikv/self-assessment.md diff --git a/assessments/projects/tikv/src/imgs/distributed_transaction.png b/community/assessments/projects/tikv/src/imgs/distributed_transaction.png similarity index 100% rename from assessments/projects/tikv/src/imgs/distributed_transaction.png rename to community/assessments/projects/tikv/src/imgs/distributed_transaction.png diff --git a/assessments/projects/tikv/src/imgs/layer.png b/community/assessments/projects/tikv/src/imgs/layer.png similarity index 100% rename from assessments/projects/tikv/src/imgs/layer.png rename to community/assessments/projects/tikv/src/imgs/layer.png diff --git a/assessments/projects/tikv/src/imgs/raft_consensus.png b/community/assessments/projects/tikv/src/imgs/raft_consensus.png similarity index 100% rename from assessments/projects/tikv/src/imgs/raft_consensus.png rename to community/assessments/projects/tikv/src/imgs/raft_consensus.png diff --git a/assessments/projects/tikv/src/imgs/sharding.png b/community/assessments/projects/tikv/src/imgs/sharding.png similarity index 100% rename from assessments/projects/tikv/src/imgs/sharding.png rename to community/assessments/projects/tikv/src/imgs/sharding.png diff --git a/assessments/projects/tikv/src/imgs/tikv_wholepic.png b/community/assessments/projects/tikv/src/imgs/tikv_wholepic.png similarity index 100% rename from assessments/projects/tikv/src/imgs/tikv_wholepic.png rename to community/assessments/projects/tikv/src/imgs/tikv_wholepic.png diff --git a/assessments/projects/tikv/tikv-threat-model.md b/community/assessments/projects/tikv/tikv-threat-model.md similarity index 100% rename from assessments/projects/tikv/tikv-threat-model.md rename to community/assessments/projects/tikv/tikv-threat-model.md diff --git a/assessments/projects/volcano/arch.png b/community/assessments/projects/volcano/arch.png similarity index 100% rename from assessments/projects/volcano/arch.png rename to community/assessments/projects/volcano/arch.png diff --git a/assessments/projects/volcano/recommendations.md b/community/assessments/projects/volcano/recommendations.md similarity index 100% rename from assessments/projects/volcano/recommendations.md rename to community/assessments/projects/volcano/recommendations.md diff --git a/assessments/projects/volcano/self-assessment.md b/community/assessments/projects/volcano/self-assessment.md similarity index 100% rename from assessments/projects/volcano/self-assessment.md rename to community/assessments/projects/volcano/self-assessment.md diff --git a/assessments/projects/volcano/threat-analysis.md b/community/assessments/projects/volcano/threat-analysis.md similarity index 100% rename from assessments/projects/volcano/threat-analysis.md rename to community/assessments/projects/volcano/threat-analysis.md