CNCF Supply Chain Security Survey

Supply chain attacks are on the rise. Open source maintainers must take action to mitigate the risk of compromise by commensurably securing the build infrastructure of their projects.

To help mitigate the impact of these attacks, the CNCF TAG Security group has created the CNCF Software Supply Chain Security Best Practices and the corresponding Secure Software Factory reference architecture. The goal of CNCF TAG Security’s Supply Chain Security WG is to help open source organizations and projects evaluate gaps in their current software supply chain and provide a path forward to remediate based on the best practices and reference architecture.

As part of a concerted effort from the CNCF to help maintainers bridge this gap, TAG Security is conducting this survey as a first step to develop deeper understanding the set of supply chain challenges to overcome that projects maintainers are confronted by, in order from there to formulate how to best engage and help.

These questions refer to your organization or project:

Question Title

* 1. Which project are you filling the survey for? (please provide a link to the project/repo)

Question Title

* 2. When you refer to supply chain security within your organization or project, which of the following most closely matches what you mean:

The security of the dependencies/tools/platforms your organization uses or consumes

The security of the artifacts or products your organization deploys/distributes

Both are equally weighted in our supply chain considerations

Question Title

* 3. What are the preventative steps you have taken in your project for supply chain security?

Generating SBOMs for my project

Dependency vulnerability management for my project

Signing and integrity assurance for project releases

Hardening and provenance of release build process (e.g. SLSA)

Security checks for my project (SAST/DAST in CI/CD, dependabot, credential checker)

Other (please specify)

Question Title

* 4. What tools do you use in securing and orchestrating your supply chain?

Source control tools and servers

CI and CD tools

SBOM Generation tools

Artifact build tools (compiler, container image builder)

Vulnerability scanning tools (SAST/DAST/SCA, etc.)

Provenance generator tools

Signing tools

CI/CD pipeline policy tools

Question Title

* 5. What are the tools and technologies you use for the above?

Question Title

* 6. What motivates you to secure your end to end supply chain pipeline?

Customer requirements

Compliance (organization policy)

Compliance (regulatory)

Security is a key deliverable/aspect for our project

Question Title

* 7. Do you have a process in place to handle supply chain security incidents?

Routine/Chore tasks (ie, dependency updates)

Documentation of a workflow to handle supply chain security incidents

Dedicated security SMEs responsible for handling security incidents

The handling of security incidents practices has been well tested

The handling of security incidents practices has been applied in a real incident

Question Title

* 8. Would you be interested in joining a pilot program for the CNCF Supply Chain Security WG to provide you recommendations and guidelines on how the project can align with?

Yes

Not now, but maybe in the future

CNCF Supply Chain Security Survey

Question Title

* 1. Which project are you filling the survey for? (please provide a link to the project/repo)

Question Title

* 2. When you refer to supply chain security within your organization or project, which of the following most closely matches what you mean:

Question Title

* 3. What are the preventative steps you have taken in your project for supply chain security?

Question Title

* 4. What tools do you use in securing and orchestrating your supply chain?

Question Title

* 5. What are the tools and technologies you use for the above?

Question Title

* 6. What motivates you to secure your end to end supply chain pipeline?

Question Title

* 7. Do you have a process in place to handle supply chain security incidents?

Question Title

* 8. Would you be interested in joining a pilot program for the CNCF Supply Chain Security WG to provide you recommendations and guidelines on how the project can align with?

Question Title

* 9. If yes, how many hours per week could your project dedicate to supply chain security engineering?

Question Title

* 10. What does your stack look like? e.g. languages, major frameworks

Question Title

* 11. How large is the project? Please give them number of git clones and visitors to the page

Question Title

* 12. How large is the project? Number of maintainers

Question Title

* 13. What else could the CNCF Security TAG be doing to help you secure your supply chain?