FIPS-140-2 Compliance #4385
mparuszewski
started this conversation in
Ideas
FIPS-140-2 Compliance
#4385
Replies: 2 comments
-
|
Please remove stale lifecycle, this is interesting for users who are in FedRAMP or undergoing FedRAMP certification |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I'd like to see FIPS 140-2 compliant scans become part of the suite too. More than interesting, this is necessary for FedRAMP certification. Being able to make sure all our modules are compliant at all levels means we would not have to add on, or move to, a different scanning tool. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Background:
FIPS 140-2 is a U.S. government computer security standard used to approve cryptographic modules. Recently we see increased interest in developing and using FIPS-compliant software. It is especially needed when working with the U.S. government or other regulated industries.
What would you like to be added:
It would be great to see a build of trivy that is FIPS-compliant.
To make sure trivy is FIPS-compliant, we need to build it with Go with crypto libraries that are FIPS-compliant. In the industry BoringSSL fork of Go is used to create FIPS-compliant builds, ie: RKE2, Contour, Konvoy, etc., so we could go with this path or investigate other approaches.
Challenges:
Additional context:
There are multiple articles about the possibility to build go apps that are FIPS-compliant. The main problem that we need to solve is that the app must use FIPS-verified cryptographic libraries. Unfortunately, native golang libraries are not FIPS-verified.
More information:
Beta Was this translation helpful? Give feedback.
All reactions