[Initiative]: CI Dependency Recipe Card

[mnm678]

Name

CI Dependency Recipe Card

Short description

Create a short "recipe card" that provides guidance for project maintainers about CI dependencies.

Responsible group

TAG Security and Compliance

Does the initiative belong to a subproject?

No

Subproject name

No response

Primary contact

Marina Moore (@mnm678)

Additional contacts

No response

Initiative description

This initiative from the Software Supply Chain Security TCG will create a short "recipe card" with practical guidance about securing CI dependencies. This guidance will be narrowly scoped to CI dependencies, and will discuss how to choose these dependencies and how to respond to vulnerabilities in them. The goal is to focus on concrete steps and advice for project maintainers, including specific tooling and processes. The recipe card will link to other, more in depth documents like the TAG Security and Compliance Software Supply Chain Security Best Practices Guide where needed for those looking to learn more. The recipe itself will focus on guidance and action.

If this is successful, we hope to create several other short "recipe cards" for software supply chain security to break down this complex topic into small, actionable steps.

Deliverable(s) or exit criteria

A 3-4 page recipe card, with an accompanying blog post on the CNCF blog

Tracking document for meeting and progress

https://notes.cncf.io/AJENlss7T3ScPjG7_UYuXA