Tech Review of Buildpacks Graduation application#2047
Open
Tech Review of Buildpacks Graduation application#2047
Conversation
Signed-off-by: Kevin Dubois <kevin.dubois@ibm.com>
tuminoid
reviewed
Feb 21, 2026
tuminoid
left a comment
tuminoid
left a comment
There was a problem hiding this comment.
Please use yyyy-mm-dd.md for the filename for consistency.
Signed-off-by: Kevin Dubois <kevin.dubois@ibm.com>
kfaseela
reviewed
Feb 23, 2026
| * N/A | ||
| * **Describe how the project is following and implementing [secure software supply chain best practices](https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf)** | ||
| * Buildpacks are designed to improve the software supply chain by making it easier to identify the contents of application images and automate upgrades with minimal effort. The project is also improving its supply chain by ensuring adequate test coverage on all Pull Requests and resolving findings from its third-party security review. | ||
| * The `kpack` kubernetes operator implements [SLSA Level 4](https://slsa.dev/spec/v0.1/levels) compliant build processes. This supports organizations reaching SLSA Level 4 across their entire software artifact production pipeline. |
Contributor
There was a problem hiding this comment.
a citation to an attestation/proof?
Contributor
| * Access Control: The project enforces Two-Factor Authentication (2FA) for its GitHub organizations, buildpacks and buildpacks-community. | ||
| * Reporting: A clear process for reporting security issues is maintained via a [SECURITY.md](https://github.com/buildpacks/.github/blob/main/SECURITY.md) file. | ||
| * Vulnerability Management: The Cloud Native Buildpacks (CNB) project maintains a rigorous security posture by blending standard CNCF governance with automated "security-by-design" features. Procedurally, the project enforces the "Four-Eyes Principle" for code reviews, strict branch protections, and mandatory MFA for all maintainers. | ||
| * To handle the heavy lifting of vulnerability management, the project integrates CNCF Snyk and CNCF FOSSA directly into its CI/CD pipelines. Snyk serves as the primary security engine, scanning both source code and container layers for known CVEs and providing automated pull requests to fix dependencies. Complementing this, FOSSA monitors the "legal health" of the project by auditing every dependency for license compliance, ensuring that no incompatible or high-risk "copyleft" code slips into the ecosystem. Together, these tools ensure that the project remains secure, compliant, and easy to audit for end-users. |
Contributor
There was a problem hiding this comment.
Can you link to evidence ?
Contributor
56 tasks
Co-authored-by: Faseela K <k.faseela@gmail.com> Signed-off-by: Kevin Dubois <kevin.dubois@redhat.com>
kdubois
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@kfaseela This opens the Tech Review for the graduation application of Buildpacks.
Refer to the comments in the google doc to review any open review comments: https://docs.google.com/document/d/1OyIrh12avIvPY88MEWY2HV86C7jf8xTejXWkEDI58a4/edit?tab=t.0 .
#1983
cc/ @jkutner @hone @SwEngin @joshgav