From 11abe2ea8239b77450baaf61b9173aea3ed57ab5 Mon Sep 17 00:00:00 2001
From: realaravinth <realaravinth@batsense.net>
Date: Thu, 6 Oct 2022 16:47:15 +0530
Subject: [PATCH] feat: chef isn't FOSS but there's a FOSS distribution for it
 + devsecops best practices guide

---
 README.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b1d109b..dd2b14d 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,21 @@
 
 1. (DevSec Hardening Framework](https://dev-sec.io/): Automatic Server
    hardening
-2. [Chef Inspec](https://community.chef.io/tools/chef-inspec): Infrastructure-as-Code to auto-configure VMs and apps running in it to meet compliance.
+2. [Chef Inspec](https://community.chef.io/tools/chef-inspec)(Apacha 2.0 and proprietary): Infrastructure-as-Code to auto-configure VMs and apps running in it to meet compliance.
+
+    The binary installation(the one you get when you follow installation
+    instructions) requires accepting EULA, so essentially proprietary? Please see [here](https://github.com/inspec/inspec/issues/5109) for
+    the issue discussing the EULA and [here](https://saf.mitre.org/#/faq#5) for building Apache 2.0
+    compliant binary.
+
+    Also, there's the [CINC is not CHef (CINC)](https://cinc.sh/)
+    project that distributes fully FOSS([Apache2.0 and free of EULAs](https://cinc.sh/goals/)) Chef software.
+
+3. [MITRE Security Automation Framework
+   (SAF)](https://saf.mitre.org/#/): framework of tools, techniques,
+   libraries developed by MITRE and security community
+4. [MITRE 2020 DevSecOps Best Practices
+   Guide](https://saf.mitre.org/DevSecOps_Best_Practices_Guide_01262020.pdf)
 
 ## Linux
 
@@ -13,3 +27,7 @@
 ## K8s
 
 1. [NSA K8s Hardening Guide](https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF))))
+
+## Notes
+
+### Chef