Please describe the enhancement
This is a Roadmap Epic, and needs design and breakdown into smaller work items
One use for Minder is to evaluate projects against specific conformance
criteria, like the OpenSSF Security Baseline.
The
security-baseline profile
profile enables this tracking, but there is no clear way to share this status
(in comparison with e.g. the OpenSSF Scorecard and
Best Practices badges).
OpenFGA provides an underlying sharing and relationship mechanism for projects
to be able to share select compliance reports either with the world or with
select audiences (such as project sponsors). Currently, Minder does not track
specific resources which could be used to grant "badge-read" or "audit"-type
permissions in OpenFGA. The solution would probably need to support at least:
- Share all reports (policy evaluation results) for an entity.
- Share all reports (policy evaluation results) for an entity and its
dependents.
- Share one specific report (policy evaluation results) for an entity.
Solution Proposal
Define some type of resource below the project level (e.g. related to and contained by a project) which represents the intent to export current (or historical) status about a selected set of rule evaluations selected by some of the following properties:
Open questions:
- Does this produce a new API, or is it just adding permission checks on ListEvaluationResults/ListEvaluationHistory/GetEvaluationHistory?
- How to handle "public" permissions vs "auditor" permissions?
- What degree of overlap on Entity and/or Profile across exports is permitted?
- What do we call this thing?
Describe alternatives you've considered
No response
Additional context
No response
Acceptance Criteria
No response
Please describe the enhancement
This is a Roadmap Epic, and needs design and breakdown into smaller work items
One use for Minder is to evaluate projects against specific conformance
criteria, like the OpenSSF Security Baseline.
The
security-baselineprofileprofile enables this tracking, but there is no clear way to share this status
(in comparison with e.g. the OpenSSF Scorecard and
Best Practices badges).
OpenFGA provides an underlying sharing and relationship mechanism for projects
to be able to share select compliance reports either with the world or with
select audiences (such as project sponsors). Currently, Minder does not track
specific resources which could be used to grant "badge-read" or "audit"-type
permissions in OpenFGA. The solution would probably need to support at least:
dependents.
Solution Proposal
Define some type of resource below the project level (e.g. related to and contained by a project) which represents the intent to export current (or historical) status about a selected set of rule evaluations selected by some of the following properties:
Open questions:
Describe alternatives you've considered
No response
Additional context
No response
Acceptance Criteria
No response