Containerd Project Security Self-Assessment - Security Pals #1202
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for tag-security ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
github-actions
bot
requested review from
mlieberman85,
PushkarJ and
ultrasaurus
|
Hi there! I'm just starting to take a look at this, and I noticed that your pull request name isn't very descriptive. If you take a look at the Pull Requests page, you'll see that the pile can be a lot easier to navigate if we all use descriptive titles. That'll help reviewers move more quickly, and also it's a great practice to follow when you're doing future work on platforms like GitHub/GitLab/Bitbucket/etc. Instead of |
|
I also noticed the DCO check is failing. You can look at the checks section of the PR (I believe it should always be below the last comment) and look for a red X highlighting the failed check. In this case, you can click |
eddie-knight
reviewed
Dec 8, 2023
Containerd/self-assessment.md
Outdated
Comment on lines
2
to
8
| The Self-assessment is the initial document for projects to begin thinking about the | ||
| security of the project, determining gaps in their security, and preparing any security | ||
| documentation for their users. This document is ideal for projects currently in the | ||
| CNCF **sandbox** as well as projects that are looking to receive a joint assessment and | ||
| currently in CNCF **incubation**. | ||
|
|
||
| For a detailed guide with step-by-step discussion and examples, check out the free | ||
| Express Learning course provided by Linux Foundation Training & Certification: | ||
| [Security Assessments for Open Source Projects](https://training.linuxfoundation.org/express-learning/security-self-assessments-for-open-source-projects-lfel1005/). | ||
|
|
||
| # Self-assessment outline |
There was a problem hiding this comment.
Please go back to ensure that no template text like this is included here or in the rest of the document
eddie-knight
reviewed
Dec 8, 2023
Containerd/self-assessment.md
Outdated
| @@ -0,0 +1,350 @@ | |||
| # Self-assessment | |||
There was a problem hiding this comment.
Suggested change
| # Self-assessment | |
| # Containerd Self-assessment |
smallfoot47
changed the title
smallfoot47
changed the title
smallfoot47
changed the title
There was a problem hiding this comment.
It appears that something got wonky with the commit history here. Same with the _index.md file linked below. Please check your history and clean it up accordingly.
Nate-Smithline
force-pushed
the
main
branch
2 times, most recently
from
bc4388e
to
27c8e8a
Compare
ragashreeshekar
requested changes
Dec 13, 2023
| Role: Leverage containerd for deploying, managing, and orchestrating containerized applications. | ||
| Interaction: Engage with containerd through various interfaces and tools, contributing to the widespread adoption and integration of containerized solutions. | ||
|
|
||
| ### Actions |
There was a problem hiding this comment.
This section talks about the various functions/benefits of this project however it is meant to showcase the individual parts of your system that interact to provide the desired functionality.
Ref: https://github.com/cncf/tag-security/blob/main/assessments/guide/self-assessment.md#actors
Please update this section to include the right actors.
Containerd/self-assessment.md
Outdated
|
|
||
| ## Self-assessment use | ||
|
|
||
| This self-assessment is created by the Containerd team to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. |
There was a problem hiding this comment.
Can you please specify at the top which member of the maintainer team acted as an author on this? (Or otherwise rephrase)
|
|
||
| https://azure.microsoft.com/en-us/updates/generally-available-containerd-support-for-windows-in-aks/ | ||
|
|
||
| * Related Projects / Vendors: |
There was a problem hiding this comment.
Please elaborate how these project/vendors relate to this project, and what the key differences between them are.
Nate-Smithline
approved these changes
Dec 14, 2023
Nate-Smithline
approved these changes
Dec 14, 2023
…f#1118) Bumps [postcss](https://github.com/postcss/postcss) to 8.4.31 and updates ancestor dependency [autoprefixer](https://github.com/postcss/autoprefixer). These dependencies need to be updated together. Updates `postcss` from 7.0.39 to 8.4.31 - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@7.0.39...8.4.31) Updates `autoprefixer` from 9.5.0 to 10.4.16 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](postcss/autoprefixer@9.5.0...10.4.16) --- updated-dependencies: - dependency-name: postcss dependency-type: indirect - dependency-name: autoprefixer dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com> Co-authored-by: Vivek Radhakrishnan <vrk3366@nyu.edu> Co-authored-by: Swati Baleri <sb9156@nyu.edu> Co-authored-by: Sunny Li <sl9052@nyu.edu> Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
Signed-off-by: nomnomninja <150766910+nomnomninja@users.noreply.github.com> Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
Signed-off-by: Sunny Li <100388296+sunnnnyli@users.noreply.github.com>
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
Comment on lines
2
to
8
| The Self-assessment is the initial document for projects to begin thinking about the | ||
| security of the project, determining gaps in their security, and preparing any security | ||
| documentation for their users. This document is ideal for projects currently in the | ||
| CNCF **sandbox** as well as projects that are looking to receive a joint assessment and | ||
| currently in CNCF **incubation**. | ||
|
|
||
| # Self-assessment outline |
There was a problem hiding this comment.
This is superflous, see this example for what to remove
Suggested change
| The Self-assessment is the initial document for projects to begin thinking about the | |
| security of the project, determining gaps in their security, and preparing any security | |
| documentation for their users. This document is ideal for projects currently in the | |
| CNCF **sandbox** as well as projects that are looking to receive a joint assessment and | |
| currently in CNCF **incubation**. | |
| # Self-assessment outline |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| ## Metadata | ||
|
|
||
| A table at the top for quick reference information, later used for indexing. |
There was a problem hiding this comment.
Suggested change
| A table at the top for quick reference information, later used for indexing. |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
Comment on lines
41
to
42
| Provide the list of links to existing security documentation for the project. You may | ||
| use the table below as an example: |
There was a problem hiding this comment.
Suggested change
| Provide the list of links to existing security documentation for the project. You may | |
| use the table below as an example: |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| ## Overview | ||
|
|
||
| Containerd is a Cloud Native Computing Foundation (CNCF) Project focused on providing the core functionalities for container orchestration. Specifically architected to focus on modularity and compatibility, this provides a secure and minimal approach making it a great option for integrating into different container systems. |
There was a problem hiding this comment.
Suggested change
| Containerd is a Cloud Native Computing Foundation (CNCF) Project focused on providing the core functionalities for container orchestration. Specifically architected to focus on modularity and compatibility, this provides a secure and minimal approach making it a great option for integrating into different container systems. | |
| Containerd is a container runtime focused on providing the core functionalities for managing container lifecycles. Specifically architected to focus on modularity and compatibility, it provides a secure and minimal approach making it a great option for integrating into different container orchestrators. |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| Containerd, a fundamental tool in the realm of containerization, provides a dependable and standardized approach to managing containers. It is a lightweight yet powerful container runtime, ensuring a consistent and efficient experience. | ||
|
|
||
| Originally developed by Docker, Inc. as an integral part of the Docker project, Containerd has evolved with the dynamic container ecosystem. Docker's decision to separate container runtime functionality led to Containerd, an independent project dedicated to container management. |
There was a problem hiding this comment.
Suggested change
| Originally developed by Docker, Inc. as an integral part of the Docker project, Containerd has evolved with the dynamic container ecosystem. Docker's decision to separate container runtime functionality led to Containerd, an independent project dedicated to container management. | |
| Originally developed by Docker, Inc. as an integral part of the Docker project, containerd has evolved with the dynamic container ecosystem. Docker's decision to separate container runtime functionality from the runc project led to containerd, an independent project dedicated to container management. |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| **- Compatibility:** | ||
|
|
||
| Aligned with the Open Container Initiative (OCI) specifications, Containerd ensures compatibility with other runtimes and tools adhering to the OCI standard. This compatibility facilitates easy transitions between container runtimes supporting OCI. |
There was a problem hiding this comment.
Suggested change
| Aligned with the Open Container Initiative (OCI) specifications, Containerd ensures compatibility with other runtimes and tools adhering to the OCI standard. This compatibility facilitates easy transitions between container runtimes supporting OCI. | |
| Aligned with the Open Container Initiative (OCI) specifications, containerd ensures compatibility with other runtimes and tools adhering to the OCI standard. This compatibility facilitates easy transitions between container runtimes supporting OCI. |
Ensure the correct name containerd is used everywhere that it's not starting a sentence. See https://www.docker.com/blog/what-is-containerd-runtime/ for an example
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| **- Containerd Core:** | ||
|
|
||
| Role: Serves as the core orchestration engine, managing the complete lifecycle of containers. |
There was a problem hiding this comment.
Suggested change
| Role: Serves as the core orchestration engine, managing the complete lifecycle of containers. | |
| Role: The core container orchestration engine, managing the complete container lifecycle. |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| **- Image Registries:** | ||
|
|
||
| Role: Acts as repositories for container images, collaborating with containerd in tasks such as image pulling, pushing, and managing metadata. |
There was a problem hiding this comment.
Suggested change
| Role: Acts as repositories for container images, collaborating with containerd in tasks such as image pulling, pushing, and managing metadata. | |
| Role: Repositories for container images, providing storage and retrieval for containerd in tasks such as image pulling, pushing, and metadata management. |
sublimino
reviewed
Dec 15, 2023
Containerd/self-assessment.md
Outdated
|
|
||
| ## Self-assessment use | ||
|
|
||
| This self-assessment was authored by Swati Baleri, Vivek Radhakrishnan, Swati Baleri, Sunny Li, and Nathan Smith with a format established by the Containerd maintainers. The purpose of this document is to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. |
There was a problem hiding this comment.
Suggested change
| This self-assessment was authored by Swati Baleri, Vivek Radhakrishnan, Swati Baleri, Sunny Li, and Nathan Smith with a format established by the Containerd maintainers. The purpose of this document is to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. | |
| This self-assessment was authored by Swati Baleri, Vivek Radhakrishnan, Sunny Li, and Nathan Smith with a format established by the Containerd maintainers. The purpose of this document is to perform an internal analysis of the project's security. It is not intended to provide a security audit of Containerd, or function as an independent assessment or attestation of Containerd's security health. |
Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
Signed-off-by: Nate-Smithline <nathan_m_smith@outlook.com>
torinvdb
reviewed
Jan 16, 2024
Containerd/self-assessment.md
Outdated
Comment on lines
1
to
3
| # Containerd Self-assessment | ||
|
|
||
| ## Table of contents |
There was a problem hiding this comment.
Suggested change
| # Containerd Self-assessment | |
| ## Table of contents | |
| # Containerd Self-assessment | |
| This assessment was created by community members as part of the [Security Pals](https://github.com/cncf/tag-security/issues/1102) process and is currently pending changes from the maintainer team. | |
| ## Table of contents |
torinvdb
reviewed
Jan 16, 2024
Containerd/self-assessment.md
Outdated
Comment on lines
23
to
29
| | | | | ||
| | -- | -- | | ||
| | Software | [containerd](https://github.com/containerd/containerd) | | ||
| | Security Provider | No | | ||
| | Languages | Go, C++ | | ||
| | SBOM | [Packages](https://github.com/containerd/containerd/tree/main/pkg) [Versions](https://github.com/containerd/containerd/tree/main/version) | | ||
| | | | |
There was a problem hiding this comment.
Suggested change
| | | | | |
| | -- | -- | | |
| | Software | [containerd](https://github.com/containerd/containerd) | | |
| | Security Provider | No | | |
| | Languages | Go, C++ | | |
| | SBOM | [Packages](https://github.com/containerd/containerd/tree/main/pkg) [Versions](https://github.com/containerd/containerd/tree/main/version) | | |
| | | | | |
| | | | | |
| | -- | -- | | |
| | Assessment Stage | Incomplete | | |
| | Software | [containerd](https://github.com/containerd/containerd) | | |
| | Security Provider | No | | |
| | Languages | Go, C++ | | |
| | SBOM | [Packages](https://github.com/containerd/containerd/tree/main/pkg) [Versions](https://github.com/containerd/containerd/tree/main/version) | | |
| | | | |
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com> Signed-off-by: Raga <ragashreeshekar@gmail.com>
Co-authored-by: torinvdb <65670557+torinvdb@users.noreply.github.com> Signed-off-by: Raga <ragashreeshekar@gmail.com>
|
@SassyQuatch47 Kindly address the pending suggestions. We (maintainers) do not have the permissions to update the PR hence we look forward to your updates. In the event it is not feasible, feel free to extend the permissions to us and we are happy to make the updates on your behalf. Thanks! |
Hi @ragashreeshekar , I apologize for the delay. We have given you permissions to update this PR. If any further issues come up, do let us know and we'd be happy to help! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Containerd Project Self-Assessment
Nathan Smith
Sunny Li
Swati Baleri
Vivek Radhakrishnan
Created and added first draft for OpenMetrics Project Security Self-Assessment.
Please feel free to share your feedback on the security self-assessment.