Identify unique findings across multiple catalogs and check which findings are applicable on code that is natively written in Nephio and target those first.
@Byung-Woo Jun - Jessica Gonzalez (@Jessica Gonzalez) initiated/tested the checkov-based IaC Scanning against the ONAP CPS project. Now, she is looking for baselines/policies/best practices how to digest scanning outcome. See the first test result, https://github.com/onap/cps/actions/runs/11040721512/job/30669364326
@Rahul provided a set of requirements for Nephio IaC scanning,
[P0] Scan k8s manifests, terraform, dockerfiles for findings
[P0] Should be able to create baseline and ignore findings in the base-charts (prerequisites)
[P1] Should be possible to find unique findings across multiple files
[P0] Should be possible to periodically report the findings to the SIG-Automation
[P0] Fail the PR if the changes causes a deviation in the baseline
@ved ratan , please share your insight. I plan to discuss the best practices with ONAP SECCOM and will share its outcome.