Enable FOSSA license scanning across all Kubernetes orgs

[justaugustus]

Organization or repository

All k8s orgs

Name of integration

FOSSA

Link to integration website

• https://fossa.io/
• https://github.com/fossas/fossa-docs/blob/master/src/md/getting-started/repository-permissions.md

Describe what is attempting to be accomplished

As a project, we'd like to be able to scan software licenses with some framework and it seems the general consensus has been to use FOSSA.
There are multiple tracking issues and threads to catch up on, so I'll point there instead:

• Open k/steering issue: Kubernetes license scanning steering#57
• Umbrella k/sig-release tracking: [Umbrella] License Auditing & Remediation sig-release#223
• Older k/steering issue: Third party dependencies in kubernetes steering#21

Additional context for request

N/A

/area github-integration
/assign
/cc @kubernetes/owners @nikhita @dims @swinslow

[dims]

@justaugustus can you please point us to the page that describes the permissions needed by this app?

[justaugustus]

@dims -- here you go: https://github.com/fossas/fossa-docs/blob/master/src/md/getting-started/repository-permissions.md

added to the issue description as well.

[spiffxp]

Write access to repo webhooks makes me a little leery

[spiffxp]

I see this already happens to be enabled for google and GoogleCloudPlatform, so I figure if it's good enough for them...

But seriously, discussed in private with the rest of @kubernetes/owners, it's been enabled for kubernetes-sigs for a bit and nothing has caught on fire, so we're ok with this

[fejta]

This is fine as a first step. +1

At what kind of cadence does this provide results? Ideally we find a solution that allows us to prevent merges of bad licenses, in addition to flagging problems after the fact.

[spiffxp]

I clicked the 'grant' button for the kubernetes orgs I manage. Explicitly not touching kubernetes-security.

[idvoretskyi]

@justaugustus +1. Thanks for doing this!

[cblecker]

+1 in support of this.

[spiffxp]

/close
I leave it to @justaugustus to continue setting this up, please ping here / reopen if permissions still aren't correct for you to do what you need

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close
I leave it to @justaugustus to continue setting this up, please ping here / reopen if permissions still aren't correct for you to do what you need

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[justaugustus]

Yayyyyy! I'll be kicking off documentation around the Licensing / Compliance subproject next week. It was mentioned here originally, but I've actually got bandwidth to do stuff now.

Thanks @spiffxp! :)