Agenda

Action Items Review
Workload Identity: PR merge/readiness
- No issues with core, most comments are related to code quality/maintenance
- No risks with PR getting merged in R4!
R5 Planning: Security Work Items
- Revisit past user stories and check if any of it can be picked? (User Identity and Access Management, Vault support, …)
  - Vault Support (potential work item for contribution)
- Security Blueprint?
  - Create a high level PoV/sketch ..
- FOSSology report (xls) (potential work item)
  - Add lic header to all existing sources
  - Automate prow jobs to check for license hdr across all the repos
- IaC scanning integration? (potential work item)
  - Getting all the issues reported in scanned reports. Create baseline from it.
  - Automating the CI/CD workflow to do the scan on every PR
- Monthly Security Report. [container image scanning, IaC scanning, OSSF updates]
- Is it possible for observability work to be taken from SIG-Security? Observability could be a great use-case for workload identity.
Call for contributors?
- Making action items clear … clear High Level Design, expected work hours, clear expected deliverable.
- With this information we can push for getting help from contributors …
- Taking part in mentorship programmes?

Minutes

Topic 1

@Byung-Woo Jun to check about User Identity and Access mgmt work with the concerned team and get back.
Work with ONAP SECCOM to understand security blueprints work. (Mudassar and Lincoln will be meeting).
How does ONAP report security posture of the container images?

Finalize R5 Action Items

Sending call for contributions … with clear, enticing, work items

@Byung-Woo Jun to check with SECCOM about how they maintain the security posture and report it periodically.

March 4th Lincoln from UNH will present the security blueprints