ย | checkov findings triage | @ved ratan | Identify unique findings across multiple catalogs and check which findings are applicable on code that is natively written in Nephio and target those first. @Byung-Woo Jun - Jessica Gonzalez (@Jessica Gonzalez) initiated/tested the checkov-based IaC Scanning against the ONAP CPS project. Now, she is looking for baselines/policies/best practices how to digest scanning outcome. See the first test result, Call Gerrit Verify ยท onap/cps@c8e2b33 @Rahul provided a set of requirements for Nephio IaC scanning, [P0] Scan k8s manifests, terraform, dockerfiles for findings [P0] Should be able to create baseline and ignore findings in the base-charts (prerequisites) [P1] Should be possible to find unique findings across multiple files [P0] Should be possible to periodically report the findings to the SIG-Automation [P0] Fail the PR if the changes causes a deviation in the baseline
@ved ratan , please share your insight. I plan to discuss the best practices with ONAP SECCOM and will share its outcome.
|