chore: provide OSSF security-insight

[mmorel-35]

Clomonitor requires a SECURITY-INSIGHTS.yml,
See https://clomonitor.io/projects/cncf/etcd#etcd_security

This was done with the help of https://github.com/ossf/security-insights-spec/tree/main/specification

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mmorel-35
Once this PR has been reviewed and has the lgtm label, please assign spzala for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @mmorel-35. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.75%. Comparing base (978985d) to head (0aa52fc).
Report is 58 commits behind head on main.

Additional details and impacted files

see 65 files with indirect coverage changes

@@            Coverage Diff             @@
##             main   #18940      +/-   ##
==========================================
+ Coverage   68.73%   68.75%   +0.01%     
==========================================
  Files         420      420              
  Lines       35561    35629      +68     
==========================================
+ Hits        24442    24495      +53     
- Misses       9690     9703      +13     
- Partials     1429     1431       +2     

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 978985d...0aa52fc. Read the comment docs.

[ivanvc]

cc. @jmhbnz, thoughts on this?

/ok-to-test

[jmhbnz]

cc. @jmhbnz, thoughts on this?

Thanks @mmorel-35 for raising the proposal. I like the idea / intent. However I am not a fan of the implementation as it feels like more clutter in the project root directory. It's not clear to me the benefits, is there a specific problem we are trying to solve? I would like to see atttention/tidy-up/improvement to what we already hold under security/ in the first instance.

[mmorel-35]

@jmhbnz ,
Have you checkzd the links peovided in the description ?
Clomonitor checks a number of criteria on cncf project and etc is one of them.
As you can see this particular file can help the scanner to have a more up to date information on the project conformity with security concern.

What’s troubling you with the information provided in SECURITY-INSIGHTS.yaml. Have I missed something or provided a wrong information ?

[jmhbnz]

@jmhbnz , Have you checkzd the links peovided in the description ? Clomonitor checks a number of criteria on cncf project and etc is one of them. As you can see this particular file can help the scanner to have a more up to date information on the project conformity with security concern.

Yes - As mentioned I have no issues with the idea / intent behind the pull request. What I dislike is the implementation (i.e. more clutter in our project top level directory).

What’s troubling you with the information provided in SECURITY-INSIGHTS.yaml.

No concerns with the content of the file, only the placement of the file within the project directory structure.

Have I missed something or provided a wrong information?

It's not clear to me the benefit or improvement to our project security posture as a result of merging this pr. It seems to be optional reporting metadata which I don't think warrants living at project top level directory. Just because a standard exists does not mean we have to adopt it blindly, there are trade-offs we need to consider. We have previously done work in #15778 and #15987 to reduce clutter in our top level directory so any new addition here should have a strong case.

Ultimately this is just my current personal view and I defer decision on merging this pr to the project tech leads @ahrtr and @serathius.

[ahrtr]

Thanks for your contribution, but please don't assume that others have the same background or did the same investigation/study as you. Please try to provide more context when you raise a PR.

It took me roughly 15 ~ 20 minutes to investigate&google the background, the following is what I got, for others reference,

• clomonitor is a project under cncf: https://github.com/cncf/clomonitor . It is a tool that periodically checks open source projects repositories to verify they meet certain project health best practices.
• clomonitor refers to the ossf in terms of security.
• Based on the https://clomonitor.io/docs/topics/checks/#dependencies-policy, the SECURITY-INSIGHTS.yml should be located at the root of the repository.
• Please also refer to https://github.com/ossf/security-insights-spec/blob/v1.0.0/specification.md
• https://www.trailofbits.com/ is also for fixing security problems. Please see my question in chore: provide OSSF security-insight #18940 (comment)

[ahrtr]

It's OK to keep this badge.

[ahrtr]

It's not clear to me the benefit or improvement to our project security posture as a result of merging this pr.

We already have OpenSSF Scorecard report, so we may not want to do this using another tool (clomonitor) again.

But it's OK to keep the OpenSSF Best Practices badge as mentioned in #18940 (comment)

[ahrtr]

Do we still need the SECURITY-INSIGHTS.yml file? If not, can we remove it?

[mmorel-35]

This file is the whole point of this PR. I'd rather see it closed rather than remove this file 😅

[ahrtr]

As mentioned above in #18940 (comment), OpenSSF Scorecard and CLOMonitor are doing similar thing, so we might not want to integrate CLOMonitor for now.