Skip to content

Epic: Improve Scanning in Releasechannel #33

@n3rdc4ptn

Description

@n3rdc4ptn

Understand the Epic

The Releasechannel currently only supports scanning for CVEs. This needs to be enhanced by allowing for:

  • license scanning
  • security scanning
  • SBOM checks (insecure or prohibited dependencies)
  • regular checks
  • exceptions of check reports should be documentable and reasoned

Context / Background

No response

User Stories or tasks

  • I as an operator of a MCP landscape wants to ensure that managed components are scanned depending on my requirements for compliance.

What is required to accept the Epic as finished.

  • managed components are scanned before being put into our releasechannel
  • managed components are scanned continuously
  • exception reports are documented and reasoned

Dependencies of this Epic

  • we should check wether using the OCM Delivery Gear is a valid solution as this already does compliance scanning for OCM components

Risks of this Epic

  • dependency on OCM team building and maintaining the Delivery Gear: we should investigate whats needed to contribute and how much effort this needs

Known Stakeholders of this Epic

  • operators of MCP landscapes

Milestone Definitions for this Epic.

  • Experiment around OCM Delivery Gear and implementation effort
  • New PR based workflow with Delivery Gear
  • Continuous scanning in releasechannel

Sub-issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/open-mcpAll ManagedControlPlane related issueskind/epicEpic covers multiple issues/tasksneeds/validationVerify Issue and Prio with PO

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions