opentelemetry-configuration icon indicating copy to clipboard operation
opentelemetry-configuration copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[security] audit repository tooling

Open EjiroLaurelD opened this issue 2 years ago • 1 comments
trafficstars

Hello, The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • [ ] CodeQL enabled via GitHub Actions
  • [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • [ ] Repository security settings
    • [x] Security Policy ✅
    • [x] Security advisories ✅
    • [ ] Private vulnerability reporting ✅
    • [ ] Dependabot alerts ✅
    • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

EjiroLaurelD avatar Oct 21 '23 19:10 EjiroLaurelD

Just a note, since there is no functional code in this repository, CodeQL will not apply (I tested what it would do and it results in the github action failing with the error CodeQL did not detect any code written in languages supported by CodeQL.). The same for Static code analysis.

jaydeluca avatar Nov 19 '23 12:11 jaydeluca

I thought most Otel repos has moved to renovate from dependabot? Can either be used?

tsloughter avatar Sep 19 '24 16:09 tsloughter

I thought most Otel repos has moved to renovate from dependabot? Can either be used?

This is true for dependency management, dependabot is still used for security alerts though

codeboten avatar Sep 19 '24 17:09 codeboten

The last item (govulncheck) was addressed, marking this issue closed

codeboten avatar Sep 25 '24 14:09 codeboten