Share your community's best practices that might be applicable to other projects.
Documentation
CI/CD best practices
- Automating rejection of insecure merges (planned PoC in ONAP)
Software Bill Of Materials (SBOM)
- ONAP work - https://wiki.onap.org/display/DW/Software+Bill+of+Materials
- ONAP presentation - SBOM_DBOM.pptx
- Scripts for automated SBOM generation by Maven - <placeholder>
Architecture
Software packaging
How to secrete supply chain? signing and authentication. Are there common ways to package software in the LF? There are differences in tooling, that depend on things like the programming language. There may not be one tool that fits all.
How to test security (as part of CI/CD)?
How to manage dependencies?
- Direct dependencies are simpler
- Indirect dependencies may be more tricky
- How to automate the mitigation?