Accepted
The maintainers of Konflux components need to demonstrate evidence of practices that support a secure software development lifecycle (for example scanning, manifesting, vulnerability detection, etc.)
There are lots of options out there for us to use, notably github actions. However, we’re building a ci/cd platform that is meant to support a secure software development lifecycle from the start.
Use our own pipelines to build and scan Konflux components. Almost all of our components already
do this today. Look for evidence in the .tekton/
directory of their git repo.
However, we have stopped short of configuring an Application and Components for Konflux. We’re using the pipelines directly, but not via the Konflux UI. This is something we intend to start doing, but haven’t made time to do so yet.