Hey Mark,
thanks a lot for reaching out. There is no dedicated security workflow for a Flink release.
This is the guide for creating a Flink release (for Flink committers, not for just building Flink locally): https://cwiki.apache.org/confluence/display/FLINK/Creating+a+Flink+Release
As part of the release creation process, there's a 3 day voting period per release candidate with an extensive review by the community. A Flink release needs a majority among the PMC members to be released. As part of this voting process, we check that the source code and binaries are properly signed by the release manager, and we check the release artifacts to be compliant with Apache's rules for a release: http://www.apache.org/dev/release-publishing.html
There is also some additional information on how the ASF handles security: https://www.apache.org/security/

Afaik some vendors providing Flink distributions have more involved security processes.


On Wed, Mar 18, 2020 at 6:07 PM Mark Hapner <mhapner@cogility.com> wrote:

Are there any docs/links that describe the security workflow for a Flink release? For instance, the static code scan workflow; pen test workflow; security review of new features; etc.


The reason for the question is to better understand how to include Flink within the security workflow of a product that includes it as a component.

COGILITY SOFTWARE CORPORATION LEGAL DISCLAIMER: The information in this email is confidential and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.