opentelemetry-demo icon indicating copy to clipboard operation
opentelemetry-demo copied to clipboard
verified publisher icon open-telemetry

[security] audit repository tooling

Open codeboten opened this issue 2 years ago • 2 comments

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • [x] CodeQL enabled via GitHub Actions
  • [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • [x] Repository security settings
    • [x] Security Policy ✅
    • [x] Security advisories ✅
    • [x] Private vulnerability reporting ✅
    • [x] Dependabot alerts ✅
    • [x] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

codeboten avatar Aug 21 '23 17:08 codeboten

Hello @codeboten I am Ogbodo Esther Oluomachukwu, an Outreachy applicant I want to contribute by ensuring security tooling is setup.

OluomaEsther avatar Oct 09 '23 20:10 OluomaEsther

Given that the demo isn't a production application, and the wide number of languages, we'd like to opt-out of the static analysis. Let me know if this is a problem @open-telemetry/sig-security-maintainers

austinlparker avatar Mar 11 '24 18:03 austinlparker