[Required] Improve security self-assessment doc

[terrytangyuan]

From CNCF TOC:

KServe Security Self Assessment is available at https://github.com/kserve/community/blob/main/security/self-assessment.md.

TODO for KServe Team:

1. Link to the CI/CD generated SBOMs at https://github.com/kserve/community/blob/main/security/self-assessment.md#software-bill-of-materials
2. Clarify if the generated docker images are scanned for security vulnerabilities at https://github.com/kserve/community/blob/main/security/self-assessment.md#development-pipeline
3. CONTRIBUTING.md should also include information about how to report security vulnerabilties at https://github.com/kserve/community/blob/main/security/self-assessment.md#development-pipeline

[spolti]

1. Link to the CI/CD generated SBOMs a
The sboms are packed as manifest together with the container image, the attestation manifest sha can be found in the build logs, e.g.:
~~ ~~#98 exporting to image~~ ~~#98 exporting attestation manifest sha256:abf36774189e25ba7f2dc8942a1ed05227cdfea6c03177d80c2d750f240c750d ~~done~~ ~~

2. Clarify if the generated docker images are scanned for security vulnerabilities at

AFAIK Dockerhub does not provide security scans unless it is enabled:
https://hub.docker.com/layers/kserve/kserve-controller/v0.15.2/images/sha256-779eb71f09722014c3bd37eae48bbe2933001d313bb4e7c48b1f7b4e0dc3d340

there is no info here.

@terrytangyuan @yuzisun ^

[terrytangyuan]

Looks like we'll need to upgrade for that feature:

Upgrade your subscription to enable basic Hub vulnerability scanning

With basic Hub vulnerability scanning, any images you push to Hub are automatically scanned for OS and application vulnerabilities. View detailed scan reports on a per-tag basis to assess potential threats, and measure trends over time.

Available with Pro, Team and Business subscriptions.

[spolti]

We have a few options, like:

• add a step in the build actions to test with a third-party tool, like trivy or snyk cli
• Push the containers to quay.io in addition to docker and gcr.

[terrytangyuan]

@yuzisun WDYT? I think we can push to quay. Other projects like Argo has been pushing to both registries given the rate limiting issue on Dockerhub. All examples use Quay now.

[spolti]

#45

Still missing the container scan part.

[sivanantha321]

• add a step in the build actions to test with a third-party tool, like trivy or snyk cli

We already have snyk scan running twice a week.https://github.com/kserve/kserve/blob/master/.github/workflows/scheduled-image-scan.yml

There is also a scan for go source code as well. https://github.com/kserve/kserve/blob/master/.github/workflows/scheduled-go-security-scan.yml. Though I think we should also add govulncheck tool. https://go.dev/doc/tutorial/govulncheck

[spolti]

Thanks, will update it.

[spolti]

@sivanantha321 I think I've addressed all your comments on #50

[kfaseela]

@terrytangyuan There are a lot of how-to-contribute documents scattered here and there, and my initial comment which was linked to https://github.com/kserve/kserve/blob/master/CONTRIBUTING.md is still not taking me to work done in the PR above directly. Can the links given in https://github.com/kserve/kserve/blob/master/CONTRIBUTING.md just point to https://github.com/kserve/community/blob/main/CONTRIBUTING.md ? Also would be nice to have all these kinds of docs only in a single place. Because https://github.com/kserve/community#how-can-i-help- is there in both the repos, and both does not seem to be updated with info on how to report security vulnerabilities