From 0430812cfc8c9cd09b62ea492c7084963dd22642 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 9 Oct 2024 21:28:40 -0500 Subject: [PATCH 1/4] Applied feedback to the moving-levels review template Signed-off-by: Eddie Knight --- .../moving-levels-review-template.md | 34 ++++++++++++++++--- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/project-resources/moving-levels-review-template.md b/project-resources/moving-levels-review-template.md index a160e5b7d..55a57a188 100644 --- a/project-resources/moving-levels-review-template.md +++ b/project-resources/moving-levels-review-template.md @@ -1,4 +1,4 @@ -# Template for TAG recommendation to TOC +# TAG recommendation to TOC ## Project Overview @@ -8,13 +8,17 @@ What ecosystem adoption has the project seen? ### Past TOC Reviews -How has the project addressed comments from previous reviews (incubation if graduation, sandbox if incubating, etc)? +If already accepted, how has the project addressed comments from previous TAG or TOC reviews? ## Security Reviews ### TAG Security Assessments -Has the project completed a TAG Security Self-Assessment and/or Joint Assessment? If yes, please add a link and discuss how this has impacted their security posture. +If applying for incubation, has the project completed a self-assessment? _(If not, the TAG cannot provide any recommendation to the TOC.)_ + +If applying for graduation, has the project completed a joint assessment? _(If not, the TAG cannot provide any recommendation to the TOC.)_ + +If yes to either, were there any findings or recommendations that the project has addressed or added to a roadmap? Please provide links if applicable. ### Security Audit @@ -24,14 +28,34 @@ Has the project completed an external security audit? If yes, how have they addr ### Metrics -Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, CLO monitor), and how does it rate by these metrics? +Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, LFX Insights, CLOmonitor)? + +How does it rate by these metrics? Please provide links if applicable. ### Static Analysis -Does the project perform static analysis? +Does the project perform static analysis such as SAST or DAST? Please provide links if applicable. ## Sub-project Considerations +### Role of Sub-projects in the Project Ecosystem + +Does your project have sub-projects? If so, how do they interact with the main project? + +What is the maturity and adoption of each sub-project? + +Please provide links to any sub-projects that are compiled into the main project. + +Please provide links to any other sub-projects that are currently intended for end-user adoption. + +### Security Posture of Sub-projects + If the project has sub-projects, how does their security posture compare to the base project? ## TAG Recommendation to the TOC + + + + + + From c4139447725f4ae26d47249796074e4f5d96f376 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 9 Oct 2024 21:30:42 -0500 Subject: [PATCH 2/4] typofix Signed-off-by: Eddie Knight --- project-resources/moving-levels-review-template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project-resources/moving-levels-review-template.md b/project-resources/moving-levels-review-template.md index 55a57a188..864fabe1e 100644 --- a/project-resources/moving-levels-review-template.md +++ b/project-resources/moving-levels-review-template.md @@ -34,7 +34,7 @@ How does it rate by these metrics? Please provide links if applicable. ### Static Analysis -Does the project perform static analysis such as SAST or DAST? Please provide links if applicable. +Does the project perform static analysis such as SAST or SCA? Please provide links if applicable. ## Sub-project Considerations From 3b7f4f59ef9fcb8d9511cbfb552ae7e93eef80b6 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 30 Oct 2024 08:27:14 -0500 Subject: [PATCH 3/4] linting Signed-off-by: Eddie Knight --- ci/spelling-config.json | 1 + project-resources/moving-levels-review-template.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index 2d2989db1..19cada349 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -24,6 +24,7 @@ "cisecurity", "CISO", "cloudcustodian", + "CLOMonitor", "CMMC", "CNCF", "CNSC", diff --git a/project-resources/moving-levels-review-template.md b/project-resources/moving-levels-review-template.md index 864fabe1e..d8120662f 100644 --- a/project-resources/moving-levels-review-template.md +++ b/project-resources/moving-levels-review-template.md @@ -28,7 +28,7 @@ Has the project completed an external security audit? If yes, how have they addr ### Metrics -Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, LFX Insights, CLOmonitor)? +Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, LFX Insights, CLOmonitor)? How does it rate by these metrics? Please provide links if applicable. From 1bcac60671c6d0ab4db9fc46ff8267fbe7b275f0 Mon Sep 17 00:00:00 2001 From: Eddie Knight Date: Wed, 30 Oct 2024 06:29:24 -0700 Subject: [PATCH 4/4] Update project-resources/moving-levels-review-template.md Co-authored-by: Marina Moore Signed-off-by: Eddie Knight --- project-resources/moving-levels-review-template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project-resources/moving-levels-review-template.md b/project-resources/moving-levels-review-template.md index d8120662f..e5d774b1b 100644 --- a/project-resources/moving-levels-review-template.md +++ b/project-resources/moving-levels-review-template.md @@ -8,7 +8,7 @@ What ecosystem adoption has the project seen? ### Past TOC Reviews -If already accepted, how has the project addressed comments from previous TAG or TOC reviews? +If the project has undergone a previous TAG or TOC review, how has the project addressed comments from those reviews? ## Security Reviews