From 8c138a062b48081be9d0c246adb584e462b75416 Mon Sep 17 00:00:00 2001 From: mrhapile Date: Sun, 11 Jan 2026 10:43:37 +0530 Subject: [PATCH] document OpenSSF Scorecard and Trivy image scanning workflows Signed-off-by: mrhapile --- docs/content/direct/testing.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/content/direct/testing.md b/docs/content/direct/testing.md index 6e1c9960..fe1fa0a5 100644 --- a/docs/content/direct/testing.md +++ b/docs/content/direct/testing.md @@ -41,3 +41,32 @@ See `test/e2e/` in the GitHub repository. It has a README. ## Testing releases See [the release testing doc](release-testing.md). + +## CI security scanning + +KubeStellar uses automated security scanning workflows as part of its +continuous integration (CI) pipeline to improve supply-chain security +and provide early visibility into potential vulnerabilities. + +### OpenSSF Scorecard + +An OpenSSF Scorecard workflow is used to evaluate the repository against +a set of security best practices, such as branch protection, dependency +management, and CI configuration. + +When enabled, this workflow typically runs on a schedule and/or on +changes to the main branch. The results are published to the GitHub +**Security** tab. + +### Trivy image scanning + +KubeStellar also uses Trivy to scan container images built in CI for +known vulnerabilities (CVEs). + +A Trivy-based workflow reports **CRITICAL** and **HIGH** severity +findings and uploads results in SARIF format, making them visible in the +GitHub **Security** tab. + +These security scanning workflows are part of the project’s CI +infrastructure only and do not affect the runtime behavior of +KubeStellar deployments. \ No newline at end of file