- Meeting notes on HackMD: https://hackmd.io/MX4W9EE0RBeO3xfJ9wDi_Q
- When: Second and fourth Thursdays at 15:00UTC (See your timezone here)
- Zoom Bridge: https://zoom.us/j/94947282554?pwd=UndPWjFkQTJSUGo4WTRZWjlDaEQvUT09
- Zoom International dial-in numbers: https://zoom.us/zoomconference
- Meeting Recordings: CDF Youtube Channel SIG Software Supply Chain Playlist
- Presentation Schedule: https://hackmd.io/l1BfXp1kQKGKSaKLbl6xJw
- CDF Public Calendar: here
Meeting agenda and notes are kept on HackMD.io where everyone can add new topics to the agenda for upcoming meetings or take notes during the meetings. Please click edit button to edit the document.
- Ankit, Berkshire grey
- Osama Magdy, Jenkins X
- Rajat Gupta, Jenkins X
- Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability
- Brett Smith, SAS
- Emil Bäckmark, Ericsson, CDEvents
- Fatih Degirmenci, CDF
- Kara de la Marck, CDF
- Rajat Gupta
- Tharwat Abou-Helal
- David Bendory, Google
- David Espejo,
- Hergy Tchuinkou,
- Parth Patel, Kusari
- Georg Kunz, Ericsson
- Action Item Review, All
- Supply Chain Security Journey for Jenkins X - Now and Beyond, Osama Magdy, Jenkins X
- Supply Chain Maturity Model, David Bendory, Google
- Context: slack msg
- https://github.com/ossf/scorecard
- Code Health Project Score ("CHiPS" and SLSA) (hat/tip -- thanks to Billy Lynch for the clever name!)
- Parth -- runtime attestations ("is my application only reaching out to known destinations")
- Justin -- this sounds like policies that provide metrics around maturity
- Interested in Supply Chain Maturity Model / "CHiPS"? Please contact David Bendory on Slack to get involved.
- From Zoom: Brett, Justin, Ankit, and Parth stated their interest to take part in the effort on Zoom chat
- Fatih Degirmenci, CDF
- Tracy Ragan, DeployHub, Ortelius and OpenSSF Board Member, CDF TOC
- Justin Abrahms, eBay, CDF TOC/Board/SIG-Interoperability
- Terry Cox, Bootstrap
- Kara de la Marck, CDF
- David Bendory, Google
- Chuang Wang, Google
- Yongxuan Zhang, Google
- Prakash Jagatheesan, Google
- Ronan, Google
- Tim Miller, Kusari
- Alex Misdorp
- Michael Lieberman, Kusari
- Parth Patel, Kusari
- Andrea Frittoli, IBM, CDF TOC/Board/SIG-Events
- Brett Smith, SAS
- Charles Tudor, SAS
- Eric Wimmer, SAS
- Su Johnson, SAS
- Scott Todd, SAS
- Jill Madritch, SAS
- Ankit D Mohapatra, berkshire grey
- Rajat Gupta, Jenkins X
- Osama Magdy, Jenkins X
- Terry Cox
- David Espejo
- Georg Kunz
- Juliane
- Binary Authorization, David Bendory, Google
- CDF Reference Architecture, All
- Aligning our efforts to contribute to the CDF Reference Architecture from Software Supply Chain perspective
- The deck used to kick off the discussion around the CDF is available here
- The work started within SIG Best Practices which meets 2nd and 4th Mondays of every month at 16:00 UTC. Meeting logistics available here.
- The initial work can be seen by CDF Best Practices website preview here.
- The contributions can be made to https://github.com/cdfoundation/best-practices-site/tree/refarch1
- AI: David Bendory to figure out if he can share the data points (e.g. proto or yaml) for the sbom/provenance they capture.
- Response: https://slsa.dev/provenance exactly matches Google internal format in some places, while in others it is similar information but the schema is different.
Cancelled due to vacation period.
Cancelled due to vacation period.
- Fatih Degirmenci, CDF
- Brett Smith, SAS
- Ankit, BG, Jenkins X
- Terry Cox, Bootstrap
- Andrew Larsen, SAS
- Sudhindra Rao, JFrog
- Stephen Chin, JFrog
- Pyrsia Presentation, Sudhindra Rao Presentation
- None
Cancelled due to cdCon 2022.
- Stephen Levine, VMWare
- Ciro da Silva Costa, VMWare
- Terry Cox
- David Espejo, VMWare
- Joshua Winters
- Kara de la Marck
- Rasheed Abdul-Aziz
- Sam Coward
- Scott Rosenberg
- Waciuma
- Fatih Degirmenci
- Ankit Mohapatra, Dexai Robotics, Jenkins X
- Action Item Review, All
- Open PRs discussion on SIG PoC, All
- PR on SIG PoC is open for feedback: cdfoundation#12
- PR on Pipeline Stages is open for feedback: cdfoundation/sig-interoperability#97
- Cartographer Presentation, Stephen Levine and Ciro da Silva Costa
- None
- Georg Kunz, Ericsson
- Erhan Vikyol, Storebrand
- Daniel Krivelevich, Cider Security
- Omer Gil, Cider Security
- Terry Cox
- Ann Marie Fred, Red Hat
- Asaf Greenholts
- David Espejo
- Kara de la Marck, CDF
- Moïse
- Fatih Degirmenci, Ericsson Software Technology
- Ankit Mohapatra, Dexai Robotics, Jenkins X
- Action Item Review, All
- Top 10 CI/CD Security Risks and CI/CD Goat, Daniel Krivelevich, Omer Gil, Cider Security
- Continue discussion on SIG PoC, All
- Isn't it still valuable to establish pipelines to demonstrate the activities to perform and stages/steps to create?
- CI/CD Terminology for Supply Chain Stages/Steps, All
- Contributing to SIG Interoperability Pipeline Stages/Steps terminology
- The initial PR: cdfoundation/sig-interoperability#97
- This will be useful as an input to SIG PoC
- None
- Fatih Degirmenci, Ericsson Software Technology
- Kara de la Marck, CDF
- Thomas Schuetz, Dynatrace
- Josh Gavant, Red Hat (@joshgav)
- Terry Cox
- David Espejo, VMware
- Maxime Gréau, Elastic
- Emil Bäckmark, Ericsson
- Georg Kunz, Ericsson
- Action Item Review, All
- CNCF TAG App Delivery and podtato-head, Thomas Schuetz (Dynatrace) and Josh Gavant (Red Hat)
- The work that is done by TAG App Delivery and Pod-tato has potential to be used as part of CDF SIG Software Supply Chain Proof of Concept to look at runtime aspects of Software Supply Chain.
- Issue about documenting how to propose new scenarios/patterns and development frameworks: cncf/tag-app-delivery#167
- Similar ideas
- CI/CD Terminology for Supply Chain Stages/Steps, All
- Contributing to SIG Interoperability Pipeline Stages/Steps terminology
- The initial PR: cdfoundation/sig-interoperability#97
- This will be useful as an input to SIG PoC
- None
- Jason Hall (Red Hat)
- Maxime Gréau (Elastic)
- Ankit (Dexai Robotics)
- Kara de la Marck (CDF)
- Fatih Degirmenci (Ericsson Software Technology)
- Terry Cox
- Priya Wadhwa (Chainguard)
- Liora Milbaum (Red Hat)
- Action Item Review, All
- Meeting Time Change, All
- Meeting time changed to 15:00 UTC
- Meeting invite sent to the SIG's maillist - https://lists.cd.foundation/g/sig-software-supply-chain
- Setting the scope for the SIG PoC, All
- PoC Document: https://hackmd.io/U6q685gFTdWRrkWZechvGw?view
- TektonCD Chains Presentation/Demo,Priya Wadhwa, Chainguard
- None
- David Espejo [VMware]
- Georg Kunz, Ericsson
- Mike Lieberman [Citi, CNCF Supply Chain Security WG]
- Billy Lynch [Google, Tekton]
- Ankit Mohapatra [Dexai Robotics, Jenkins X]
- Kara de la Marck, CDF
- Erhan Vikyol, Storebrand
- Liora Milbaum, Red Hat
- Fatih Degirmenci, Ericsson Software Technology
- Terry Cox
- Andrea Frittoli, IBM
- Ann Marie Fred, Red Hat
- Enric Forn
- Maor Kuriel
- Moïse Kameni
- Parth Patel
- Praneetha Manthravadi
- Timothy Miller
- Action Item Review
- Meeting Time Change
- Meeting time will change to 15:00 UTC starting from next meeting on April 14th
- Meeting invite will be sent to the SIG's maillist - https://lists.cd.foundation/g/sig-software-supply-chain
- Upcoming Presentations
- The schedule is available here
- TektonCD Chains, Priya Wadhwa, Chainguard, 2022-04-14, 15:00 UTC
- CNCF TAG App Delivery and Pod-tato Head, Thomas Schuetz, Dynatrace, 2022-04-28, 15:00 UTC
- Cartographer, James Rawlings, 2022-05-12, 15:00 UTC
- Secure Software Factory Reference Architecture and SSF Presentation/Demo/Discussion, Michael Lieberman
- Secure Software Factory Reference Architecture: https://docs.google.com/document/d/15M_Mzfqy634E_sqoslmOXsZJl4TedpbXpBjOfz-hnXk/edit
- SSF Reference Implementation: https://github.com/buildsec/ssf
- None
- Fatih Degirmenci, Ericsson Software Technology
- Maxime Gréau, Elastic
- Ann Marie Fred, Red Hat
- Erhan Vikyol, Storebrand
- Tracy Miranda, Chainguard
- Kara de la Marck, CDF
- Ankit D Mohapatra, Dexai Robotics
- Melissa McKay, JFrog
- Andrea Frittoli, IBM
- Georg Kunz, Ericsson
- Terry Cox
- Liora Milbaum, Red Hat
- Welcome and Introductions
- What is SIG Software Supply Chain and Why?
- Approach of the SIG
- SIG Logistics
- SIG Roadmap
- Initial Topics for the SIG Roadmap
- Knowledge Transfer
- Next Meeting on March 24, 2022
- March 24th falls between when NA and EMEA makes the summer time change
- If we meet at 16:00 UTC, the meeting time will remain same for EMEA but will be 1h later for NA
- If we meet at 15:00 UTC, the meeting time will remain same for NA but will be 1h earlier for EMEA
- Or we skip the meeting to keep things simple - our next meeting would be on April 14, 2022
- Open Discussion
- References
- Meeting Presentation
- CDF SIG Software Supply Chain Charter
- CNCF TAG Security, Software Supply Chain Best Practices Whitepaper
- Secure Software Factory
- TektonCD Chains
- CNCF TAG App Delivery Pod Tato Head
- CDF SIG Interoperability Terminology Work and Quality Gates Discussion
- None