opentelemetry-network icon indicating copy to clipboard operation
opentelemetry-network copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

[security] audit repository tooling

Open sakshi-1505 opened this issue 1 year ago • 2 comments

Describe the issue you're reporting

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • [ ] CodeQL enabled via GitHub Actions
  • [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • [x] Repository security settings
    • [x] Security Policy ✅
    • [x] Security advisories ✅
    • [ ] Private vulnerability reporting ✅
    • [ ] Dependabot alerts ✅
    • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

sakshi-1505 avatar Oct 22 '23 16:10 sakshi-1505

@bjandras Please confirm if the dependabot alerts & scanning alerts are enabled for the repository. I do see trivy checks in the actions so I guess we can mark-out the static code analysis tool, I will raise a PR for codeQL check. Please let me know if the plan of action seems correct.

sakshi-1505 avatar Oct 22 '23 16:10 sakshi-1505

\assign

sakshi-1505 avatar Oct 22 '23 16:10 sakshi-1505