asf-tooling commented on issue #1235: URL: https://github.com/apache/tooling-trusted-releases/issues/1235#issuecomment-4495908329
<!-- gofannon-issue-triage-bot v2 --> **Automated triage** — analyzed at `main@ab610b23` **Type:** `discussion` • **Classification:** `no_action` • **Confidence:** `high` **Application domain(s):** `sbom_and_supply_chain`, `infrastructure_and_shared` ### Summary This is an open-ended discussion about adding automated security review pipelines for ATR's own dependencies that have few maintainers. @potiuk has proposed using 'scrutineer' (an AI/agentic tool) to scan dependencies, detect insecure setups, and follow a 'fix, fork, forego' framework, referencing existing external work in apache/infrastructure-actions (PR #807) and apache/airflow-steward. The team is still in exploratory mode - @andrewmusselman has reached out to the Airflow team for guidance, and no concrete code change for this repository has been agreed upon yet. ### Proposed approach No code change is actionable at this time. The discussion is converging on adopting external tooling (scrutineer/airflow-steward) rather than building custom review pipelines inside the ATR codebase. @potiuk's plan involves using scrutineer to scan dependencies, integrate with ecosyste.ms for maintainer data, and generate fix PRs with AI - all of which would be orchestrated externally via 'skills' in apache/infrastructure-actions. The immediate next step identified by @dave2wave is to create an inventory of ATR's dependencies, their source repositories, and package ecosystems. This would inform which scanners and tools to apply. Until the team converges on a specific tool or approach, no code change to this repository is warranted. ### Open questions - Will scrutineer be adopted as the primary tool, or will additional/alternative approaches be considered? - Should an initial dependency inventory be tracked as a separate task or document within this repo? - What specific metrics (maintainer count, release cadence, OpenSSF Scorecard scores) will be used to flag at-risk dependencies? - Will the outcome be a GitHub Actions workflow in this repo, or entirely external orchestration via infrastructure-actions/steward? _The agent reviewed this issue and is not proposing patches in this run. Review the existing-code citations and open questions above before deciding next steps._ ### Files examined - `.asf.yaml` - `.github/PULL_REQUEST_TEMPLATE.md` - `.github/dependabot.yml` - `.github/labeler.yml` - `.github/linters/.markdown-lint.yml` - `.github/workflows/allowlistchecker.yml` - `.github/workflows/analyze.yml` - `.github/workflows/build.yml` --- *Draft from a triage agent. A human reviewer should validate before merging any change. The agent did not run tests or verify diffs apply.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
