Security tools adoption survey

The TAC is seeking a refresh of the project tool adoption. Projects should update this table by Oct 18, 2023

	SBOM	OpenSSF best practices badge	LFX Security Dashboard	Static Application Security Testing (SAST)	Software Composition Analysis (SCA)	Dynamic Application Security Testing (DAST)	Container Scanning	Automated Code Coverage Testing	Code Quality	Vulnerability Reporting	Other	Contact

	SBOM	OpenSSF best practices badge	LFX Security Dashboard	Static Application Security Testing (SAST)	Software Composition Analysis (SCA)	Container Scanning	Automated Code Coverage Testing	Code Quality	Vulnerability Reporting	Other	Contact
ONAP	In progress. Debugging SPDX Generator Jenkins integration	Adopted by all sub projects. Several sub-projects at Silver level	On-boarded. OpenSSF badging inaccuracy fixed. Stale repos removed.	SonarCloud	NexusIQ		SonarCloud	SonarCloud	Implemented	Active security sub-committee. Meets regularly and preemptively addresses threats and vulnerabilities.	@Amy Zwarico , @Pawel Pawlak
FD.IO	issue in finding suitable tool (VPP written in C code)	Work on OpenSSF badging not started yet but on a cursory review nearly all criteria are adopted.	On-boarded		Coverity	N/A	Gcov Report Generation CI job	Coverity	Implemented	Coverity scans (and fixing issues found) has been ongoing since 2016 Security Response Process in place since 2016	@Dave Wallace
ODL	Integrated CycloneDX into CI https://lf-lfnetworking.atlassian.net/browse/ODLPARENT-280	In Progress 90%	On-boarded								@Robert Varga
Anuket		Deemed inapplicable for spec sub-projects. @Cédric Ollivier : self declarative checks don't bring any value to the code project compared to patchset and deliverables verifications							See all -grype and -trivy views in build.opnfv.org ex: Xtesting xtesting-grype [Jenkins] (opnfv.org)	A few code projects are running the well known both Python and Docker security tools (bandit, trivy, etc.). They are even running as verification jobs in Functest. tox.ini - functest - Test suites and cases to verify OPNFV Platform functionality @Cédric Ollivier: is it only for master? a few LFN projects fail in checking the stable branches.	@Cédric Ollivier
EMCO	Work on SBOM not started yet	Work on OpenSSF badging not started yet	Gitlab is not yet supported by the dashboard (https://community.lfx.dev/t/gitlab-support-or-manual-scans/1003)						GitLab issues? (nothing formalized yet)	Security analysis (August 2021, @Srinivasa Addepalli) - Securing EMCO	@Nadathur Sundar
XGVela			On-boarded								@Qihui Zhao
L3AF			On-boarded								@Jason Niesz
ODIM			On-boarded								@Martin Halstead
Nephio		started	On-boarded								@Lucy Hyde (Unlicensed)