Problem
See design doc for details.
Solution & Acceptance Criteria
This should cover the following topics:
- How to fill out the SSDLC report template.
- How to generate the SBOM augmented file for the release.
- The SBOM augmented file should be merged back to the main branch after release
- How to determine that we’ve met our SLA regarding issues found via third-party vulnerability and static analysis scanning.
- How to generate the SARIF file for the release using gosec.
- Add documentation of who is allowed to release the project.
- In our case this is "all engineers on the Tools and Replicator" team.
We also need this to include some information about our development practices, per our SSDLC Policy.
- depends on
-
TOOLS-3533 Add a build.go target to generate the SBOM Lite file
- Closed
-
TOOLS-3534 Integrate this project with Snyk for third-party vulnerability scanning
- Closed
-
TOOLS-3535 Add gosec as a linter and add minimal precious config
- Closed
-
TOOLS-3536 Update release workflow to fail is gosec finds any high or critical vulnerabilities
- Closed
-
TOOLS-3537 Create the SSDLC report template
- Closed
- links to
(1 links to)