Security Review Matrix

This is a drafting space for LFN Quality and Security goals

Define common quality and security goals across LFN projects
Define metrics and tools to measure and verify if goals are reached
Define templates to guide, document and review project progress

Available resources:

Quality Goal	LFN Wiki			CNCF templates	OpenSSF	Key Measures	LFX	Github
Project Vitals	Project Data Template (currently used both for induction ☑️ and health review ✅ *)	LFN Lifecycle states and guidelines (metrics per lifecycle stage)	LFN Security Forum Best Practices		Best Practices Passing badge	Scorecard
Project Name	☑️			README-template.md			PCC Project Definition
Project Creation Date	☑️					Age?	PCC Project Definition
Project License	☑️			LICENSE; README-template.md	^[^{floss_license}^][^{floss_license_osi}^][^{license_location}^]	Degree of FOS	PCC Project Definition
Legal Details and checks							PCC Project Definition
Community Size	☑️					#s
Contributing organizations (Diversity)	☑️ ✅	☑️				#s
Number of contributors		☑️				#s
Lifecycle Stage	☑️						PCC Project Definition
Release schedule	☑️					Months
Adoption		☑️				Not sure how to measure. Downloads?
Health Review				CNCF Devstats	Criticality Score		PCC Health Metrics; Insights	Github health metrics
Release Information	✅
Number of commits (over last year)	✅
Number of active committers	✅
Number of Active committers per organization	✅
Number of PR/changeset	✅
Mailing list activity	✅
Project & Community Resources					^[^discussion^]
Website	☑️			README.md	^[^{description_good}^]	Yes/NO	PCC Domain
Wiki	☑️			README.md		Yes/NO	PCC Wiki
Mailing List	☑️			README.md		Yes/NO	PCC mailing list
Slack	☑️			README.md		Yes/NO
Community Meetings	☑️			README.md		Yes/NO	PCC manage meetings
Project Governance
TSC/TOC	☑️	☑️		GOVERNANCE.md; GOVERNANCE-elections.md; GOVERNANCE-maintainer.md;		Yes/No
Charter	☑️					Yes/No
Code of Conduct	☑️			CODE_OF_CONDUCT.md; README.md		Yes/No
How to contribute	☑️	☑️		CONTRIBUTING.md; README.md	^[^interact^]; ^[^contribution^];[contribution_requirements]	Yes/No
Project Roles	☑️	☑️		CONTRIBUTOR_LADDER.md		Yes/No
Maintainers	☑️	☑️		MAINTAINERS.md
How to Review	☑️	☑️		REVIEWING.md
Adding/Removing PTLs	☑️	☑️		MAINTAINERS.md ??
Sub-Project Lifecycle	☑️	☑️		GOVERNANCE-subprojects.md
Dispute Resolution		☑️
Adding/removing committers	☑️	☑️
Sub-projects without a lead		☑️
Documentation					^[^english^]
Technical Documentation	☑️	☑️			^[^{documentation_basics}^][documentation_interface]	what should be minimum criteria? or scale
Contributor onboarding Documentation		☑️			^[^interact^]; ^[^contribution^][contribution_requirements]	Yes/No
Company Diversity (past 12 months)		☑️
Number of Contributors		☑️
Release Management		☑️			^[^{version_unique}^][^{version_semver}^][version_tags]^[^{release_notes}^][release_notes_vulns]	Release notes contains patched and outstanding defects ( details)
CI CD integration		☑️			^[^build^];[build_common_tools][build_floss_tools]	degree of automation, analysis tools, traceability of overrides, failures
Adoption		☑️
Security Design Principals		☑️
Use Case/ Problem Statement
Problem that project solves	☑️			README.md	^[^{description_good}^]
Use Cases Scenarios	☑️			README.md
Infrastructure Tooling
Wiki	☑️
Repos	☑️				[repo_public]^[^repo_track^][^repo_interim^][^{repo_distributed}^]
Bug Tracking tool	☑️				[report_tracker]
Code review	☑️
CI/CD tooling	☑️				^[^build^];[build_common_tools][build_floss_tools]
Collaboration Tooling	☑️
Roadmap				Roadmap Guide
Near/long-term objectives	☑️
Milestones	☑️
Risks/Challenges	☑️
Timeline	☑️
Security Best Practices				Security Guidelines for New Projects			Security
Security Contacts				SECURITY-CONTACTS.md	[know_secure_design][know_common_errors]	Yes, channels,
Code Scanning		☑️				license, code vulnerability, static, dynamic, manual	Snyk, Blubracket
Seed code handoff		☑️
Coding Standards		☑️	☑️		^[^warnings^][^{warnings_fixed}^][^{warnings_strict}^]
Security design principals		☑️	OSSF Scorecard; OSSF Best Practices			self assessment or audit, outside assessment/audit
Vulnerability Reporting			☑️	SECURITY.md; incident-response.md	[release_notes_vulns]^[^{vulnerability_report_process}^][^{vulnerability_report_private}^][vulnerability_report_response]
Bug reporting					[report_process]^[^{report_tracker}^][^{report_responses}^][^{enhancement_responses}^][report_archive]	days to patch, bug found during ( unit, static, dynamic, integration, field operations
Demonstrate Security Awareness			☑️		all of this column.
Practice Secure Lifecycle Management (per release)			☑️		cryptographic practices; Secured delivery against man-in-the-middle (MITM) attacks; Publicly known vulnerabilities fixed; ^[^{no_leaked_credentials}^]
Security Documentation			☑️		[vulnerabilities_fixed_60_days] [vulnerabilities_critical_fixed]
CI/CD best practices			☑️
Secure project architecture			☑️		[sites_https]
Supply Chain Security			☑️	CNCF Supply Chain Security		code intake scans, 3rd party code ver alignment, 3rd party code vulnerability reporting
SBOM creation			☑️			Yes/NO
Static Application Security Testing (SAST)			☑️		^[^{static_analysis}^][^{static_analysis_common_vulnerabilities}^][static_analysis_fixed][static_analysis_often]	<--
Dynamic Application Security Testing (DAST)			☑️		[dynamic_analysis]^[^{dynamic_analysis_unsafe}^][dynamic_analysis_enable_assertions][dynamic_analysis_fixed]	<--
Software Composition Analysis (SCA)			☑️
Container vulnerablitiy scanning			☑️
Code Coverage Testing			☑️		[test][test_invocation]^[^test_most^][test_continuous_integration]; [test_policy][tests_are_added][tests_documented_added]	<--
Code Quality			☑️