Agenda

Antitrust Policy

• Action Items Review

• Workload Identity: PR merge/readiness

  • No issues with core, most comments are related to code quality/maintenance

  • No risks with PR getting merged in R4!

• R5 Planning: Security Work Items

  • Revisit past user stories and check if any of it can be picked? (User Identity and Access Management, Vault support, …)

    • Vault Support (potential work item for contribution)

  • Security Blueprint?

    • Create a high level PoV/sketch ..

  • FOSSology report (xls) (potential work item)

    • Add lic header to all existing sources

    • Automate prow jobs to check for license hdr across all the repos

  • IaC scanning integration? (potential work item)

    • Getting all the issues reported in scanned reports. Create baseline from it.

    • Automating the CI/CD workflow to do the scan on every PR

  • Monthly Security Report. [container image scanning, IaC scanning, OSSF updates]

  • Is it possible for observability work to be taken from SIG-Security? Observability could be a great use-case for workload identity.

• Call for contributors?

  • Making action items clear … clear High Level Design, expected work hours, clear expected deliverable.

  • With this information we can push for getting help from contributors …

  • Taking part in mentorship programmes?

Minutes

Topic 1

• @Byung-Woo Jun to check about User Identity and Access mgmt work with the concerned team and get back.

• Work with ONAP SECCOM to understand security blueprints work. (Mudassar and Lincoln will be meeting).

• How does ONAP report security posture of the container images?

Action items