[Initiative]: Update Project Security Guidelines

[jkjell]

Name

Update Project Security Guidelines and Templates

Short description

Update the security guidelines and templates on contribute.cncf.io

Responsible group

TAG Security and Compliance

Does the initiative belong to a subproject?

No

Subproject name

No response

Primary contact

@jkjell

Additional contacts

No response

Initiative description

A continuation of cncf/tag-security#1260 to update the guidance found on the CNCF's contribute.cncf.io for best practices around project's Security Hygiene. Additionally, there are templates for some security sections that may also need to be updated.

While all areas of the current guidance should be updated for relevancy and accuracy, some potential new areas. TAG Security and Compliance often receives questions around and can offer authoritative guidance on:

• Security Baseline
• SBOM and SLSA Build Provenance generation
• Dependency review and selection
• GitHub Actions Workflows security

Additional topics and areas may considered upon TAG S&C leadership agreement and community interest.

Deliverable(s) or exit criteria

• Review of current guidance for relevancy and accuracy
• Creation of well defined tasks to update specific existing sections
• Creation of well defined tasks to add new relevant sections
• New sections added for:
  • Security Baseline
  • SBOM and SLSA Build Provenance generation
  • Dependency review and selection
  • GitHub Actions Workflows security

Tracking document for meeting and progress

https://notes.cncf.io/3KfWEuEjRdOZ7E-g1VMirQ