Epic Goal

• Complete RH-SDL for the source-to-image
• RH-SDL includes multiple security check tasks for any product out of which this EPIC focuses on PENTEST and SAR review. All the other tasks are marked as done at https://issues.redhat.com/browse/BUILD-835 

Why is this important?

• Any product available to customers needs to follow some security guidelines. RH-SDL is a set of steps that every product must go through before releasing any product to customers.
• Source-to-image is a dependency of multiple Red Hat products:
  • OpenShift Container Platform
  • OpenShift Pipelines
  • Builds for OpenShift
  • OpenShift Serverless

Scenarios

1. Static analysis of source code
2. Vulnerability analysis of binaries and container images
3. Implementation of secure software best practices

Acceptance Criteria (Mandatory)

• Attest implementation of core Red Hat SDL requirements
• Security Architect Review
• ProdSec completion of penetration testing (PenTest)

Dependencies (internal and external)

1. Need to work with Security Architect for review
2. Product Security team is needed to conduct the pentest.

Previous Work (Optional):

• Other SDL efforts for the team
   

  Open questions:

1. Can the s2i pentest be included in the pen tests for dependent products (which likely have higher priority in ProdSec's queue?)

Done Checklist

• Acceptance criteria are met
• Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
• User Journey automation is delivered
• Support and SRE teams are provided with enough skills to support the feature in production environment