Merge branch 'main' into dependabot/go_modules/Tests/kaas/kaas-sonobuoy-tests/go_modules-985326579b

Author: garloff

.github/workflows/build-docker.yml

@@ -3,6 +3,11 @@ name: Build and publish scs-compliance-check Docker image
 'on':
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
+  push:
+    branches:
+    - main
+    paths:
+      - 'Tests/**'
 
 env:
   REGISTRY: ghcr.io
@@ -31,6 +36,10 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest
+            type=ref,event=branch
+            type=sha
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v5

.zuul.d/secure.yaml

@@ -79,6 +79,50 @@
           o9slrGAyL7g3zdjNlUJA04U33SNCvaCxL8fac6JZ15vrqeW4g4AB4+rx7fYKAnOVg2FOL
           5jMOKsiGgfLvz1KZ9c6Q1ThfeCQzG9waWJnyCx2R2tEtyQ17hIW6Rzo1RzmQkUyvLN9TJ
           CLSZCUoR+2Ut+ZlpDi3vVushWWLXyjj8ojblTO/zqlbQ1A+7d/C+5x2mrh2T/0=
+      cnds_ro_ac_id: !encrypted/pkcs1-oaep
+        - l2IMEJwkw8xqgzKvCkPgGVzoBNiMrj/+oNfq3dvFyLU8f/AJ8XDMsmaeNBj/hSGY6O3ar
+          Qs8ckn6BUTD253Ft8izsvv7E535KN/o5IhN7f+juKri1jVus/XLkrx3t3exHL1piSy0y/
+          y5k1FGpEclmzyEdtaCorEOQraXRCLAOmyYba6aCt5YhPVJkOjv8Aupy7Y/tSHXdsFKgZt
+          fJItALWehZVbYtl4WHpmrPwV0uW8mKo/T41o2aJDJ3a2BRodqVvTNSZb9YNnLyBkxW+Kc
+          w1AAk9E2U+tinWxFAJQAE42JZIesv6F9SoJhl9ViYsENjNtwdpndrrF1j2BmmiqJ1kVwp
+          y4UHnheNUBsIXe2RUnRq2z0m0rQ/kyQQSTluUV0QGnb34a3GuMqPCsiAAbFRuL6Ax8zXu
+          UoQ+C6BCNXJJzyjbJC9CLILqHLqZUCkYimiBf4+GmoDEANNi5FUZgtwK0p9TJN/7KvLJ0
+          h+73PtoCnVrnsYcaEu+tJO3Jfm43tilTRixTtVbWL1F+dgnBCdh3dFHm3l16npEMxpyR9
+          2P6BKyeROBAwaBURc3UhtqZjwMc+YmYLGXRDjd/DKyLHJ0j27ONWCtQHbRzJZjxfvrMfC
+          dyowl8wOxpgd3EiUDDufncD7JmKBcyJRQOvTTGJz6T3cP8h9b65103faoyVRo0=
+      cnds_ro_ac_secret: !encrypted/pkcs1-oaep
+        - KvlXdw4RIkzHwaZPeeI+lhycJboSRBh7DJ/43Q0sNP9o1vkJG72pSv8w2HhycZU95SU6g
+          k0B5uMwIHpXiQnmjgA4f8lLMkI6ppA5FLL5F3LwsVIlfUI1x8aM8Zl+LyVHSZJ/0kP3l7
+          QTEJ6DDNVdI6xftCkKQiABUCMYwgbZsU3c3rJeF/RAuCUtrs/gRv+2F4/es7UWaafYvQa
+          gqx4nC7LGn+7q1UH4BIbwVQdjH8f7H1SSEkz4t1goNqgVMqqv24hNF/KMRRGfZ/Zv9zPt
+          B+uczjb4Jc6zwJL/zF+sZc1pIt9zn/RijJTYv0BX+ldfMiOflST/FlXcMZqULXHnyQLK/
+          iqaJcTfI7fv1OCUtpNc0n6dJhK8piU//1JQ3Yanov0QTdEo4OTRxirGxIobzJfFl+hf+8
+          D5b1ZKqkPhoTGP/vjl1XzvV2QuJ+ZX6P9GWKJr4r/9b2RuwywD71fUbXqmEva3/THY2Sg
+          gY6QHocYpATL46iLkv97QANNUxTdxL7hQjdl/tf3TAHjCclmxdWhBJdvCJN/1xCM6EgVp
+          NykBYxJ+kxSmkcFCSdUM8Td75bA/UzkPCdix1reJMdEAxTE9fC55XQ/liTLlGquQDnZty
+          VLDH7x3ZJcxZsvqKR6vNbYYzJvDPTBYpHrhD7kx3ubyO9KX+SzZ+Dfhe9M8T8U=
+      focis_ac_id: !encrypted/pkcs1-oaep
+        - KB/tDE/a07eU+xtwor1iLxhvRdA/6bgkZn2aCPvkYtKKoVmT6sXpfRl1t319WqZRIRkoh
+          GK0d9KMJkVT+Q5sbZiSxMD24yMBvwaImIBG6OCzxjyklqal1SOt6CLx4q/uGoGl7QrPOM
+          WcRoluG1FCoDeUewgaZ50TQD0TQ8YGxuhRZi6s8KldDrYVkB/9HBUmwNhgd2LhExmNbtR
+          rRwV7nTJgy3bPDZzJHrKUBk04ZCP1gYRWB4DamsSDV1K+BxeiuxtL6QaoYqZPPWqNoCf3
+          XL6zHCFWKXZM2gkkgZF0/MG8F0vUVILSL9ObF0/Ueozyxzs1oss3zfET2bR3WNNasP2+D
+          NueSiYzurLlVcX0XmqSdcHwiNolc3sfnUAL1uHeRP/KNhRpe3P4nBIkAp+Z5OUw616YdG
+          63CRWs/X/TdshOiMaScGwHGwytaSincar/7e8HM4EbHN5Gg8t1+/Qs2MopuPLyPcH8ogo
+          YbdI4KBz6CcfrNdtut9XlmNLT91emT9ayC+XDqBypksHXHcypuqoOHMQUdjSPtXDLsI//
+          dsSRxDL+4TtWaVovPAxaLGsiVohsoCEdAxBmYxbkA2DNYdOMf6glu7O4wMtEIjaBdzdfP
+          CKfkOiwdCjtq++Ofn/C+3zI+2H+58TosQdCXcYIGmyKw5WSN7/sCosWDUtcsq4=
+      focis_ac_secret: !encrypted/pkcs1-oaep
+        - E8fpHXVmMa7ptAndyV8fqgC6tmGL9qmtpI10q1Yh6Qo0iIt09HNl8aZLtupmavTqYJg+D
+          7BI3ziTG4PNfc6MK0rvsQE/jGCf/XGW7yyfrmcvok+8mwD7foya5gEDLvbxFuIUopdTEt
+          Wk+5qLHNv87fKtQVGoda1qZXQ2ZjEw3sLv5eENLEft+u3XZnPLMVJ3p9ZGK0mvBcIfAlk
+          qPpSigJhZSaKC0ndZsiWvIaD9lkKYVqcIs8BjVj0tH3DM9yxVT1Ky59aERWc4vKYnZTkN
+          JxdLCVhWttT77qSXWZm1SE+GhqmmZRRh4xsnDWW7MMZ48OG36VOZOvOpk34sIzQ6+n/I4
+          zL+bxnPw2vjF6PKbUWD2p8LFbiZbJ7VR4N0656MI3WOzkjMC3+CKIAm8jwJS94SNsGShA
+          KRnp4y6eyZqWV+oJngIaIjz0wAQc/iocWaq7eiZBAjyrPAJjmOYgcHzkV/ryoZx+rLFi5
+          ZxVGDNNZEUA4dAYW6o+aK6GG7yIAE57MoyIPToFBMngnvk2ao2Vyd2f+JL//6IjF4C/V9
+          UjBCh4LVOwxibUQcm8m3hPmnnLTGF1cAKJTyfbP+gdYnYLjCAXBG2z/CubYAQUGV+eSwk
+          a/d4ptd1S9331Cao1VeWUAI5vI28oyO/KIPrKpEBn0LmJwcLn9qEI6O1V6YvhA=
       poc_wgcloud_ac_id: !encrypted/pkcs1-oaep
         - dQIs3NJt1CpP1925+b9QjjwonqjmiuCl1ewxw160yIEHQ/qyQiwutJbsg4IYS9XKhKc2X
           GumOOpLY7+/uNRR5pZmEfOdlGnPoJvVhYtCqHBFy7xQ6NLHKFxCT8zHM9ppSl1Hjc2G2F

CODEOWNERS

@@ -0,0 +1,11 @@
+*                      @mbuechse @depressiveRobot @fkr @garloff	
+
+/compliance-monitor/   @mbuechse @depressiveRobot
+
+/Tests/                @mbuechse @depressiveRobot
+
+# Members of the Project Board are the owners of the Community
+# Governance - see: 
+# https://docs.scs.community/community/governance/project-board
+/Community-Governance/ @fkr @matofeder @garloff @jschoone @berendt
+

Community-Governance/2025-12-project-board-nominees.md

@@ -0,0 +1,7 @@
+# Nominees 2026 Project Board
+
+For the term 2025-12 - 2026-12 the following people are nominated / have nominated themselves:
+
+| Name, Firstname     | Github Handle  | E-Mail                              |
+| ------------------- | -------------- | ----------------------------------- |
+|                     |                |                                     |

README.md

@@ -27,3 +27,8 @@ Testsuite and tools for SCS standards, see [Tests/README.md](https://github.com/
 ### Drafts
 
 Old Design-Docs folder with existing Architectural Decision Records (ADRs). This directory is currently in the process of being consolidated and cleaned up. See [cleanup step-1](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0002-v1-standards-docs-org.md#suggested-cleanup-step-1) and [open questions](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0002-v1-standards-docs-org.md#open-questions).
+
+## License
+
+The documents in this repository are licensed under CC-BY-SA-4.0 (Attribution-ShareAlike 4.0).
+The bundled software, scripts, test-cases are licensed under AGPLv3 (GNU AFFERO GENERAL PUBLIC LICENSE Version 3). The corresponding directories carry the LICENSE files accordingly.

Standards/scs-0001-v1-sovereign-cloud-standards.md

@@ -107,7 +107,7 @@ embedded in the markdown header.
 | Field name      | Requirement                                                                | Description                                                                           |
 | --------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
 | `type`          | REQUIRED                                                                   | one of `Procedural`, `Standard`, `Decision Record`, or `Supplement`                   |
-| `status`        | REQUIRED                                                                   | one of `Draft`, `Stable`, `Deprecated`, or `Rejected`                                 |
+| `status`        | REQUIRED precisely when `type` is not `Supplement`                         | one of `Draft`, `Stable`, `Deprecated`, or `Rejected`                                 |
 | `track`         | REQUIRED                                                                   | one of `Global`, `IaaS`, `KaaS`, `IAM`, `Ops`                                         |
 | `supplements`   | REQUIRED precisely when `type` is `Supplement`                             | list of documents that are extended by this document (e.g., multiple major versions)  |
 | `deprecated_at`  | REQUIRED if `status` is `Deprecated`                                       | ISO formatted date indicating the date after which the deprecation is in effect       |
@@ -193,7 +193,9 @@ In case there is little or no activity in some team, the SIG Standardization/Cer
 can take decisions on behalf of such a team. The SIG will seek alignment with the Project
 Board for decisions with large impact to ensure we have the wanted broad alignment.
 
-Supplements may be kept in Draft state, because they are not authoritative.
+From this perspective,
+Supplements are perpetually kept in phase Draft, because they are not authoritative,
+and this phase is not recorded in the document (i.e., no `status` field).
 
 ### Proposal phase
 
@@ -223,8 +225,9 @@ for a Supplement of `scs-0100-v3-flavor-naming.md`,
 the file name might be `scs-0100-w1-flavor-naming-implementation-testing.md` (note the `w1`!).
 
 The metadata MUST indicate the intended `track` and `type` of the document,
-and the `status` MUST be set to `Draft`;
-for a Supplement, the `supplements` field MUST be set
+and the `status` MUST be set to `Draft`,
+except for a Supplement;
+where, instead, the `supplements` field MUST be set
 to a list of documents (usually containing one element).
 
 Upon acceptance by the group of people identified by the `track`,
@@ -285,6 +288,8 @@ Changes to the documents are gated through pull requests.
 
 Once the document is deemed ready for production use,
 its `status` is changed to `Stable`.
+Additionally, the field `stabilized_at` MUST be added and set to a date after which the document is
+to be considered stable.
 
 If the document in question is a `Standard`
 (and if applicable),

Standards/scs-0004-v1-achieving-certification.md

@@ -22,17 +22,17 @@ As operator, I want to obtain a certificate with the scope SCS-compatible IaaS o
 
 1. Each certificate issued pertains to a given combination of subject (i.e., cloud environment), scope (such as _SCS-compatible IaaS_), and version of that scope. The certificate is only valid for that combination and for the time frame that ends when the scope expires, or for six months if the expiration date for the scope is not yet fixed.
 
-2. The operator MUST ensure that the official [SCS compliance test suite](https://github.com/SovereignCloudStack/standards/tree/main/Tests) (which does not require admin privileges) is run at regular intervals and the resulting reports transmitted to the [SCS compliance monitor](https://github.com/SovereignCloudStack/standards/tree/main/compliance-monitor).
+2. The operator MUST ensure that the official [SCS compliance test suite](https://github.com/SovereignCloudStack/standards/tree/main/Tests) (which does not require admin privileges) is run at regular intervals and that all tests pass. The operator MUST submit the resulting reports to the [SCS compliance monitor](https://github.com/SovereignCloudStack/standards/tree/main/compliance-monitor).
 
    For public clouds, the SCS certification assessment body can take on this task provided that suitable access to test subject is supplied.
 
    The test suite is partitioned according to resource usage; the required test intervals depend on this classification:
 
-    - _light_: at least nightly,
+    - _light_: at least daily,
     - _medium_: at least weekly,
     - _heavy_: at least monthly.
 
-3. If the desired certificate requires manual checks, then the operator MUST offer the SCS project suitable documentation. Manual checks MUST be repeated once every quarter. In addition, the SCS certification assessment body reserves the right to occasionally verify documentation on premises.
+3. If the desired certificate requires manual checks, then the operator MUST offer suitable documentation to the SCS certification assessment body. The operator MUST ensure that these checks are repeated once every quarter. In addition, the SCS certification assessment body reserves the right to occasionally verify documentation on premises.
 
 4. Details on the standards achieved, as well as the current state and the history of all test and check results of the past 18 months will be displayed on a public webpage (henceforth, _certificate status page_) owned by SCS.
 
@@ -44,7 +44,7 @@ As operator, I want to obtain a certificate with the scope SCS-compatible IaaS o
 
 7. If the certificate is to be revoked for any reason, it will be included in a publicly available Certificate Revocation List (CRL), maintained by the SCS certification assessment body. This fact will also be reflected in the certificate status page.
 
-8. If any of the automated tests or manual checks fail after the certificate has been issued, the certificate is not immediately revoked. Rather, the automated tests MUST pass 99.x % of the runs, and the operator SHALL be notified at the second failed attempt in a row at the latest. In case a manual check fails, it has to be repeated at a date to be negotiated with the SCS certification assessment body. It MAY NOT fail more than two times in a row.
+8. If any of the automated tests or manual checks fail after the certificate has been issued, the certificate is not immediately revoked. Rather, the operator SHALL be notified automatically. The operator MUST then fix the issue and ensure that the automated tests run successfully again as quickly as possible. In case a manual check fails, it has to be repeated at a date to be negotiated with the SCS certification assessment body.
 
 ## Design Considerations
 

Standards/scs-0004-w1-achieving-certification-implementation.md

@@ -2,7 +2,6 @@
 title: "Implementation hints for achieving SCS-compatible certification"
 type: Supplement
 track: Global
-status: Draft
 supplements:
   - scs-0004-v1-achieving-certification.md
 ---
@@ -20,12 +19,12 @@ that lets their applications run in a reliable way.
 The SCS certification process typically consists of a few simple steps:
 
 1. Running the SCS compliance test suite and adjusting the infrastructure until it passes.
-2. Any additional declarations (for non-testable aspects) are written and passed to the SCS certification body.
+2. Any additional declarations (for non-testable aspects) are written and passed to the SCS certification assessment body.
 3. The operator must be a member ("shaper" or "advisor" level) of the Forum SCS-Standards in the
    OSB Alliance (a non-profit) and pay the respective membership fees. Alternatively fees can
    be paid without becoming a member.
 4. The cloud can be listed on the SCS pages as *SCS-compatible* with a compatibility status that is
-   updated on a daily basis. SCS then tests the infrastructure on a daily basis.
+   updated regularly. The infrastructure is then tested on a regular basis.
 
 The precise rules that govern how certificates are issued or withdrawn are defined in the
 [SCS standard 0004](scs-0004-v1-achieving-certification.md).
@@ -59,8 +58,8 @@ criteria. In case of doubt, audits can be performed.
 The SCS brand belongs to the Open Source Business Alliance e.V. (OSBA), an non-profit organization and
 association for the Open Source Industry in Germany. After the completion of the funded SCS project
 in the OSBA on 2024-12-31, the OSBA sets up the Forum SCS-Standards
-which performs the work to evolve the SCS standards, develops the tests and perform the certification
-process and thus becomes the SCS certification body.
+which performs the work to evolve the SCS standards, develops the tests and performs the certification
+process and thus becomes the SCS certification assessment body.
 
 Members of the OSBA can become also member of the Forum SCS-Standards for an additional membership
 fee, providing the financial resources for the Forum SCS-Standards to do its work. Membership in the
@@ -75,7 +74,7 @@ can become officially certified.
 
 The SCS team will add the cloud to the [list of certified clouds](https://docs.scs.community/standards/certification/overview)
 on the SCS docs page. This can be used to prove to customers that the cloud is SCS compliant.
-Note that for public clouds, there will be a nightly job that tests the cloud for compliance, which will be
+Note that for public clouds, there will be a regular job that tests the cloud for compliance, which will be
 triggered by SCS infrastructure (zuul). For this, access to a tenant on the cloud needs
 to be provided free of charge. (This only requires very low quota, one VM is created for a minute
 in one of the tests.)
@@ -106,7 +105,7 @@ Once your cloud is listed in the
 [list of certified clouds](https://docs.scs.community/standards/certification/overview)
 which is fed by the
 [compliance manager](https://compliance.sovereignit.cloud/page/table), it
-will enjoy the nightly tests. These might fail for a number of reasons:
+will enjoy the regular tests. These might fail for a number of reasons:
 
 * There is a new version of the SCS standards in effect and you need to adjust things.
 * Your cloud was unreachable or otherwise had intermittent issues.
@@ -128,6 +127,6 @@ as it may be easier to focus on just the one failing aspect of your infrastructu
 
 Your cloud will show up as failing in the compliance manager after tests start
 failing; this is not the same as a revoked certification, though. For clouds that have been
-compliant before, it is highly recommended to work with the SCS certification body
+compliant before, it is highly recommended to work with the SCS certification assessment body
 upon such failures to determine a way back into compliance that avoids certification
 revocation.

Standards/scs-0007-v1-certification-integrators.md

@@ -1,7 +1,8 @@
 ---
 title: Certification of integrators
 type: Procedural
-status: Draft
+status: Stable
+stabilized_at: 2025-08-01
 track: Global
 description: |
   SCS-0007 defines the process and rules on how SCS integrators are certified.
@@ -14,6 +15,8 @@ For this purpose, two essential criteria are defined that must be fulfilled. In
 
 ## Motivation
 
+As an integrator, I want to obtain a certificate with the scope of _Certified SCS IaaS Integrator_ or _Certified of SCS KaaS Integrator_ in order to prove sufficient technical knowledge and experience to provide technical support for SCS.
+
 ## Regulations
 
 The certificates are awarded for the period of one year.

Standards/scs-0007-w1-certification-integrators-implementation-notes.md

@@ -2,7 +2,6 @@
 title: "Implementation hints for achieving Certified SCS Integrator"
 type: Supplement
 track: Global
-status: Draft
 supplements:
   - scs-0007-v1-certification-integrators.md
 ---