|
| 1 | +#2025-04-09 Security Working Group monthly meeting |
| 2 | + |
| 3 | +##Agenda |
| 4 | + |
| 5 | +* Security disclosure policy |
| 6 | +* Github private vuln reporting |
| 7 | + |
| 8 | +* Dependabot/dependency issues |
| 9 | +* relenv – how are dependencies and their vulns being tracked |
| 10 | + |
| 11 | +* Salt extensions |
| 12 | +* Review copier template, Github Actions and discussion with Salt extensions WG |
| 13 | + |
| 14 | +* Github Actions security |
| 15 | +* Review of Actions in main repo |
| 16 | +* Scanning -[Zizmor](https://github.com/woodruffw/zizmor) |
| 17 | +* Supply chain security with GHA |
| 18 | + |
| 19 | +* Github Issues spam |
| 20 | +* Repo settings |
| 21 | +* Tooling |
| 22 | + |
| 23 | +* ACL support for netapi SSE/websocket endpoints |
| 24 | + |
| 25 | +##Present |
| 26 | + |
| 27 | +* Barney Sowood (@barneysowood) |
| 28 | +* Shane Lee (@twangboy) |
| 29 | +* Derek Ardolf (@ScriptAutomate) |
| 30 | +* Jim |
| 31 | + |
| 32 | +##Notes |
| 33 | + |
| 34 | +###Github private vulnerability reporting |
| 35 | + |
| 36 | +* Raised as possible way to simplify management of vulnerability reporting |
| 37 | +* Been investigated before - at that point issues with functionality (esp around private forks) |
| 38 | +*@ScriptAutomate to find previous issues[done] |
| 39 | +*@barneysowood to investigate and see if it would still be beneficial even without using private forks |
| 40 | + |
| 41 | +###relenv dependencies |
| 42 | + |
| 43 | +* Discussion of how dependencies are tracked for relenv |
| 44 | +*@ScriptAutomate would like to see SBOM for relenv and salt builds |
| 45 | +*@barneysowood to discuss further with@dwoz |
| 46 | + |
| 47 | +###salt-extenions Github Actions |
| 48 | + |
| 49 | +* Some concerns over permission usage in copier template |
| 50 | +*@barneysowood to complete further testing and discuss with maintainers |
| 51 | + |
| 52 | +###Github Actions security for Salt repo |
| 53 | + |
| 54 | +* Discusion of security in GHA for Salt repo |
| 55 | +* Scanning with[Zizmor](https://github.com/woodruffw/zizmor) hasn't revealed any serious issues |
| 56 | +* Some minor issues to look at |
| 57 | +* Longer term, looking at simplification and reduction in reliance on 3rd party Actions |
| 58 | +*@barneysowood to open PR with minor fixes |
| 59 | + |
| 60 | +###Github Issues spam |
| 61 | + |
| 62 | +* Problem recently on[saltstack/pepper](https://github.com/saltstack/pepper) repo |
| 63 | +* Some modifications to settings have helped but mainly relying on Github to catch and cleanup |
| 64 | +* No good solutions currently |
| 65 | + |
| 66 | +###ACL support for netapi SSE/websocket endpoints |
| 67 | + |
| 68 | +* No support for ACLs on netapi for SSE/websockets currently |
| 69 | +*@barneysowood working on possible feature - open PR and discussion when ready |
| 70 | + |