2025-07-08 SIG Security Minutes

Community Attendees:

@Prashant Mishra

@Byung-Woo Jun

@Gaurav Kumar

@Phil Porras

@Rahul Jadhav

Community Attendees:

LF Staff:

Agenda

Antitrust Policy

Action Items Review
Secrets Manager Next steps
Fiachra: Requirement for getting package list

Minutes

Secret Manager

@Prashant Mishra to upload the Secrets Manager documents to the Documentation section
Workload-Identity-Setup-with-Nephio
Guide:-Using-Red-Hat-COP-Vault-Config-Operator-with-SPIFFE-Integration
Prepare towards a demo with SIG-Automation

Checkov scanning

The PR can’t be merged right now since we do not have a consensus on how to maintain the baseline.
Gaurav will message on the sig security channel for the updates from Fiachra

Nephio Component List (issue raised by Fiachra)

Fiachra checked whether there is any way of getting/publishing the Nephio component list along with the release.
This is not the same as SBOM.
Currently a script is used to skim through the catalog repo and get the component list.
This needs to be discussed with the SIG-Automation

Cryptography scanning tool - PQCA

IBM donated their cryptography scanning tool kit to LF. The ONAP SECCOM is exploring the tool adoption into LF CI/CD. https://github.com/PQCA/ for PQC alliance and tools for CBOM. @Byung-Woo Jun will update us on this.

Action items

@Prashant Mishra to upload the secrets manager demo setup documents to the SIG-Security Docs section

@Prashant Mishra will make a demo recording for the SPIFFE setup and secrets management with OpenBao

OSSF Score for Porch is bad. Need to improve upon this.