opentelemetry-go-instrumentation icon indicating copy to clipboard operation
opentelemetry-go-instrumentation copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[security] audit repository tooling

Open arademm opened this issue 2 years ago • 3 comments

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • [ ] CodeQL enabled via GitHub Actions
  • [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • [ ] Repository security settings
    • [x] Security Policy ✅
    • [ ] Security advisories ✅
    • [x] Private vulnerability reporting ✅
    • [ ] Dependabot alerts ✅
    • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

arademm avatar Oct 21 '23 17:10 arademm

Hi @pellared Can you please check if dependabot alerts & scanning alerts are enabled for repo? I will pick up the CodeQL & addition of govulncheck into the repo.

sakshi-1505 avatar Dec 06 '23 17:12 sakshi-1505

/assign

sakshi-1505 avatar Dec 06 '23 17:12 sakshi-1505

No. I am not a maintainer.

pellared avatar Dec 08 '23 13:12 pellared