forked from aquasecurity/trivy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: add governance (aquasecurity#6090)
Signed-off-by: knqyf263 <[email protected]>
- Loading branch information
Showing
2 changed files
with
40 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Trivy Project Governance | ||
This document outlines the guiding principles and governance framework for the Trivy project. | ||
|
||
## Core Principles | ||
Trivy is a security scanner focused on static analysis and designed with simplicity and security at its core. | ||
All new proposals to the project must adhere to the following principles. | ||
|
||
### Static Analysis (No Runtime Required) | ||
Trivy operates without requiring container or VM image startups, eliminating the need for Docker or similar runtimes, except for scanning images stored within a container runtime. | ||
This approach enhances security and efficiency by minimizing dependencies. | ||
|
||
### External Dependency Free (Single Binary) | ||
Operating as a single binary, Trivy is independent of external environments and avoids executing external OS commands or processes. | ||
If specific functionality, like Maven's, is needed, Trivy opts for internal reimplementations or processing outputs of the tool without direct execution of external tools. | ||
|
||
This approach obviously requires more effort but significantly reduces security risks associated with executing OS commands and dependency errors due to external environment versions. | ||
Simplifying the scanner's use by making it operational immediately upon binary download facilitates easier initiation of scans. | ||
|
||
### No Setup Required | ||
Trivy must be ready to use immediately after installation. | ||
It's unacceptable for Trivy not to function without setting up a database or writing configuration files by default. | ||
Such setups should only be necessary for users requiring specific customizations. | ||
|
||
Security often isn't a top priority for many organizations and can be easily deferred. | ||
Trivy aims to lower the barrier to entry by simplifying the setup process, making it easier for users to start securing their projects. | ||
|
||
### Security Focus | ||
Trivy prioritizes the identification of security issues, excluding features unrelated to security, such as performance metrics or content listings of container images. | ||
It can, however, produce and output intermediate representations like SBOMs for comprehensive security assessments. | ||
|
||
Trivy serves as a tool with opinions on security, used to warn users about potential issues. | ||
|
||
### Detecting Unintended States | ||
Trivy is designed to detect unintended vulnerable states in projects, such as the use of vulnerable versions of dependencies or misconfigurations in Infrastructure as Code (IaC) that may unintentionally expose servers to the internet. | ||
The focus is on identifying developer mistakes or undesirable states, not on detecting intentional attacks, such as malicious images and malware. | ||
|
||
## Governance Model | ||
The governance of Trivy is collaborative, valuing community input while recognizing Aqua Security's role in making final decisions. | ||
This model ensures that decisions, proposals, and enhancements align with Trivy's mission to provide a secure, simple, and independent security scanning solution, adhering to the project's core principles. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters