Agenda

Antitrust Policy

• Action Items Review

• Secrets Manager Next steps

• Fiachra: Requirement for getting package list

Minutes

Secret Manager

• @Prashant Mishra to upload the Secrets Manager documents to the Documentation section

• Workload-Identity-Setup-with-Nephio

• Guide:-Using-Red-Hat-COP-Vault-Config-Operator-with-SPIFFE-Integration

• Prepare towards a demo with SIG-Automation

Checkov scanning

• The PR can’t be merged right now since we do not have a consensus on how to maintain the baseline.

• Gaurav will message on the sig security channel for the updates from Fiachra

Nephio Component List (issue raised by Fiachra)

• Fiachra checked whether there is any way of getting/publishing the Nephio component list along with the release.

• This is not the same as SBOM.

• Currently a script is used to skim through the catalog repo and get the component list.

• This needs to be discussed with the SIG-Automation

Cryptography scanning tool - PQCA

• IBM donated their cryptography scanning tool kit to LF. The ONAP SECCOM is exploring the tool adoption into LF CI/CD. https://github.com/PQCA/ for PQC alliance and tools for CBOM. @Byung-Woo Jun will update us on this.

• Once this is working well, we will apply to Nephio

LFX Mentorship possibilities

• We already have SPIFFE, we can propose projects related to secrets management and Service Mesh

• We will ask @Rahul Jadhav to propose this to the Nephio team.

Action items