Security and supply chain improvements

[Defilan]

Overview

Track remaining work to align with CNCF project standards for security and supply chain.

Completed (Quick Wins)

• Add SECURITY.md with vulnerability reporting process
• Add CODE_OF_CONDUCT.md (Contributor Covenant 2.1)
• Enable Dependabot for Go, Actions, and Docker
• Add DCO check workflow

TODO: Security Scanning

Container Image Security

• Add Trivy scanning to release workflow
• Generate SBOM with Syft on each release
• Sign container images with Cosign

Example workflow addition:

- name: Scan image with Trivy
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: ghcr.io/defilantech/llmkube-controller:${{ env.VERSION }}
    format: 'sarif'
    output: 'trivy-results.sarif'

- name: Upload Trivy scan results
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: 'trivy-results.sarif'

Static Analysis

• Enable CodeQL for Go code analysis
• Add results to Security tab

Supply Chain

• Cosign image signing in release workflow
• SBOM generation and attestation
• Verify base images in Dockerfile

TODO: Governance (for CNCF Sandbox+)

• Add GOVERNANCE.md when project grows
• Add OWNERS file for reviewer assignments
• Consider OpenSSF Scorecard badge

References

• CNCF Project Requirements
• OpenSSF Scorecard
• Sigstore/Cosign

[Defilan]

Quick Wins Complete ✅

PR #92 addressed the quick wins section:

• ✅ SECURITY.md with vulnerability reporting process
• ✅ CODE_OF_CONDUCT.md (Contributor Covenant 2.1)
• ✅ Dependabot for Go, Actions, and Docker
• ✅ DCO check workflow

Remaining TODO:

• Trivy scanning in release workflow
• SBOM generation with Syft
• Cosign image signing
• CodeQL for Go static analysis
• OpenSSF Scorecard badge

Keeping this issue open to track the remaining security/supply chain work.