Skip to content

tooling(srctl): add README describing purpose and usage #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Pnkcaht wants to merge 1 commit into from
Closed

tooling(srctl): add README describing purpose and usage #180

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions sig-security-tooling/srctl/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
# srctl

`srctl` is a small CLI tool used by Kubernetes Security Response Committee (SRC) members to publish official CVE announcements.
Copy link
Copy Markdown
Member

@mtardy mtardy Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you wrap all lines to 80 chars approx, that makes review easier, you can use vim with gq for that


It was created to standardize and simplify the CVE publication workflow, while enabling the generation of structured vulnerability metadata that can be consumed by downstream security tooling.

---
Copy link
Copy Markdown
Member

@mtardy mtardy Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you remove the --- in the doc?


## Background

As Kubernetes security processes evolved, publishing CVEs required more structure and consistency. In particular, there was a need to:

- Reduce manual steps during CVE publication
- Generate reproducible and machine-readable vulnerability data
- Support OSV-formatted metadata for integration with the official CVE feed

`srctl` was introduced to address these needs with a simple, focused command-line tool.

Related context can be found in:

- tooling: add new CLI for CVE publication by SRC members (#171)
- tooling: official CVE feed: add OSV schema JSON feed (#169)

---

## What This Tool Does

At a high level, `srctl` helps SRC members:

- Create CVE announcement content
- Generate OSV-compliant JSON vulnerability data
- Ensure CVE metadata follows agreed conventions

The generated outputs are typically embedded into GitHub issues and later consumed by tooling that builds the official Kubernetes CVE feed.

---

## Intended Users

This tool is primarily intended for:

- Kubernetes Security Response Committee (SRC) members
- Contributors involved in CVE publication and coordination
Copy link
Copy Markdown
Member

@mtardy mtardy Mar 11, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you remove this line, it's only for SRC people, but this is not the only problem, see the general feedback


It is not designed as a general-purpose vulnerability scanning or analysis tool.

---

## Usage Overview

`srctl` is a CLI-based tool. Its commands are used as part of the CVE publication workflow to generate and validate CVE-related artifacts.

For concrete examples of its usage, refer to CVE issues created using `srctl` and the initial implementation in PR #171.

---

## Contributing

Documentation improvements and tooling enhancements are welcome. Contributions should follow Kubernetes community guidelines and SIG Security processes.