From 9e305c3be6aa4acfefea1a65ead5eb6889bfeb1c Mon Sep 17 00:00:00 2001 From: mrhapile Date: Sun, 11 Jan 2026 01:34:37 +0530 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=93=96=20docs:=20document=20CI=20secu?= =?UTF-8?q?rity=20scanning=20workflows?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: mrhapile --- docs/content/direct/testing.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/content/direct/testing.md b/docs/content/direct/testing.md index 6e1c9960..0dc802ce 100644 --- a/docs/content/direct/testing.md +++ b/docs/content/direct/testing.md @@ -38,6 +38,36 @@ go test -v -timeout 60s -run ^TestCRDHandling$ ./test/integration/controller-man See `test/e2e/` in the GitHub repository. It has a README. +## CI Security Scanning + +KubeStellar includes automated security scanning workflows as part of its CI +infrastructure. These workflows are designed to improve supply-chain security +and provide early visibility into potential vulnerabilities. + +### OpenSSF Scorecard + +KubeStellar runs the OpenSSF Scorecard workflow to evaluate the repository +against a set of security best practices, such as branch protection, +dependency management, and CI configuration. + +The Scorecard workflow: +- Runs on a schedule and on changes to the main branch +- Produces results in SARIF format +- Publishes findings to the GitHub **Security** tab + +### Trivy Container Image Scanning + +KubeStellar also uses Trivy to scan container images built in CI for known +vulnerabilities (CVEs). + +The Trivy scanning workflow: +- Builds container images during CI +- Scans for **CRITICAL** and **HIGH** severity vulnerabilities +- Uploads results in SARIF format to the GitHub **Security** tab + +These workflows are part of the project’s CI infrastructure only and do not +affect the runtime behavior of KubeStellar deployments. + ## Testing releases See [the release testing doc](release-testing.md). From dd719418320c7820544f4f560f1783c7f8cd9a30 Mon Sep 17 00:00:00 2001 From: mrhapile Date: Tue, 13 Jan 2026 17:15:56 +0530 Subject: [PATCH 2/2] minor ai changes Signed-off-by: mrhapile --- docs/content/direct/testing.md | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/docs/content/direct/testing.md b/docs/content/direct/testing.md index 0dc802ce..c5589c4e 100644 --- a/docs/content/direct/testing.md +++ b/docs/content/direct/testing.md @@ -40,33 +40,34 @@ See `test/e2e/` in the GitHub repository. It has a README. ## CI Security Scanning -KubeStellar includes automated security scanning workflows as part of its CI -infrastructure. These workflows are designed to improve supply-chain security +KubeStellar will include automated security scanning workflows as part of its CI +infrastructure. These planned workflows are designed to improve supply-chain security and provide early visibility into potential vulnerabilities. ### OpenSSF Scorecard -KubeStellar runs the OpenSSF Scorecard workflow to evaluate the repository +KubeStellar will run an OpenSSF Scorecard workflow to evaluate the repository against a set of security best practices, such as branch protection, dependency management, and CI configuration. -The Scorecard workflow: -- Runs on a schedule and on changes to the main branch -- Produces results in SARIF format -- Publishes findings to the GitHub **Security** tab +The planned Scorecard workflow is expected to: +- Run on a schedule and on changes to the main branch +- Produce results in SARIF format +- Publish findings to the GitHub **Security** tab ### Trivy Container Image Scanning -KubeStellar also uses Trivy to scan container images built in CI for known +KubeStellar will also use Trivy to scan container images built in CI for known vulnerabilities (CVEs). -The Trivy scanning workflow: -- Builds container images during CI -- Scans for **CRITICAL** and **HIGH** severity vulnerabilities -- Uploads results in SARIF format to the GitHub **Security** tab +The planned Trivy scanning workflow is expected to: +- Build container images during CI +- Scan for **CRITICAL** and **HIGH** severity vulnerabilities +- Upload results in SARIF format to the GitHub **Security** tab -These workflows are part of the project’s CI infrastructure only and do not -affect the runtime behavior of KubeStellar deployments. +These workflows are part of the project’s CI infrastructure only (and may not yet +be present in this repository) and do not affect the runtime behavior of KubeStellar +deployments. ## Testing releases