Security Slam North America 2022
Published: February 1, 2023
The Cloud Native Computing Foundation (CNCF), in partnership with Sonatype, completed its 2022 Security Slam virtual event on November 21, 2022. The inaugural event featured the participation of 13 open source software projects and a total donation of $27,500.00 by Google to the CNCF Diversity Scholarship Fund.
The Linux Foundation, parent company to the CNCF, designed Security Slam as an event for KubeCon + CloudNativeCon, culminating with its coverage at KubeCon + CloudNativeCon North America 2022 in Detroit in late October.
Projects that participated in Security Slam leveraged existing CNCF tools to increase their open source security posture, awareness, and compliance. CLOMonitor, a CNCF tool built by Artifact Hub creators Sergio Castaño Arteaga and Cintia Sánchez García, evaluated each project and generated a completion score on a scale of 0 to 100%.
Eleven different CNCF projects raised their CLOMonitor Security score to 100% by the beginning of KubeCon + CloudNativeCon in Detroit. Open source maintainers and contributors of participating projects received awards and recognition from CNCF and the Linux Foundation.
Additionally, as a thanks for his effort to streamline security automation in every participating project, Justin Marquis has been announced as the overall greatest contributor to the Security Slam!
Projects that made it to 100%
The partnership behind Security Slam
The CNCF partnered with Sonatype to create educational materials and instructional content to help publicize Security Slam and guide participants through the development process.
With a long history of supporting the open source community particularly in its stewardship of Maven Central, Sonatype ensured contributors and maintainers received the information they needed to increase their security postures and thereby increase their completion scores.
In addition to the CNCF and Sonatype partnership to manage the event, Google committed to donate up to $50,000 to the CNCF Diversity Scholarship Fund in the name of each participating project that hit a 100% completion milestone.
Although the key event activities ended with this year’s North American KubeCon + CloudNativeCon, projects were still able to work to increase their completion scores through Monday, November 21, 2022 to influence Google’s overall donation amount.
The tools to evaluate and improve each project’s security
As a tool that scans open source project repositories, CLOMonitor runs a number of checks to verify a project’s overall health. CLOMonitor leverages security checks from the Open Source Security Foundation (OpenSSF) Security Scorecards tool.
CLOMonitor contains the following check sets:
- Code – a set of high standards meant check a project’s primary code repository
- Code-lite – a subset of code that evaluates coding best practices but not software security, particularly on secondary repositories
- Community – a set of checks to evaluate best practices for community engagement
- Docs – a set of checks for a primary README document and a proper software license
Sonatype, as part of their partnership with the CNCF, also helped identify knowledge gaps and served up additional tooling options to maintainers and contributors.
While Security Slam initially relied on manually-crafted checklists to track each project’s progress in their GitHub repositories, CLOMonitor maintainers added a capability to generate Markdown checklists with descriptions and embedded documentation links directly within the clomonitor.io dashboard.
In addition to this CLOMonitor capability, Sonatype created checklist issues on every tracked repository within every participating project to help maintainers and contributors track their Security Slam progress.
To help streamline development processes of participating projects, Sonatype incorporated CLOMonitor with Sonatype Lift via its GitHub integration, which is free for public repositories. This enabled maintainers and contributors to develop faster rather than rely on the hourly feedback cadence from the clomonitor.io dashboard.
Maintainers and contributors find value and new solutions in Security Slam
As KubeCon + CloudNativeCon approached and project deadlines drew closer, maintainers and contributors of participating projects gained newfound motivation to improve their open source security and uncovered new methods to more efficiently raise their Security Slam scores.
Argo in particular expanded their scope and objectives to bolster the security of multiple repositories in their project ecosystem.
One of the most daunting things I saw during the Slam was when the Argo community decided to move their own goalposts. Initially, only ArgoCD was being tracked for the Argo project, and it was held to the highest standard on CLOMonitor. They weren’t satisfied until they adjusted CLOMonitor to evaluate five different repositories using the hard-to-reach code standard.
Developer Advocate, Sonatype
The high standards Argo’s maintainers and contributors set for themselves reached other participants. Justin Marquis, a community member and contributor to Argo, helped lay a foundation for work completed by many of the CNCF projects.
When Marquis committed his contribution related to signed releases, he added a strong set of instructions to his pull request. Security Slam participants shared the link to Marquis’ PR as a go-to solution for passing one of the more difficult security checks in CLOMonitor.
While Argo streamlined a solution in terms of signed releases, maintainers for K8GB implemented SLSA provenance in their release pipeline.
By participating in the Security Slam, we managed to heavily secure the K8GB project pipelines and adhere to SLSA framework practices. It was incredible to observe how quickly we can organize and solve the complex stuff thanks to some good competition-based deadlines provided by Security Slam.
While Security Slam created a gamified space for collaboration between maintainers and contributors, participants also noted the event’s educational component on an individual level.
Without this 100% goal, we would probably lose interest in increasing the security of our project because we haven’t gotten a lot of feedback from users about security. I was also surprised at how little I knew about project security. This was the first time I learned about the permissions mechanism in GitHub workflows.
Maintainer, Chaos Mesh
Even after KubeCon + CloudNativeCon, projects continued to join Security Slam and worked to increase their completion scores through the official deadline of Monday, November 21, 2022. Eddie Knight, Developer Advocate at Sonatype met maintainers for Cortex in the CNCF project area onsite at KubeCon + CloudNativeCon and struck up a conversation about the CLOMonitor score in the context of Security Slam. A few days later, maintainer Alvin Lin announced on Slack that Cortex had worked quickly and already achieved the 100% Security score.
As Security Slam projects reaped the value of improving open source security together, maintainers and contributors gained ground to win over developers who demand a higher level of trust in the security of the product.
Users notice when open source projects adopt supply chain best practices, and it helps them gauge the trustworthiness of the project.There’s friendly competition to have top CLOMonitor scores and also a feeling of camaraderie as everyone works to improve their projects.
Maintainer, Argo CD