Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] audit repository tooling #52

Closed
8 tasks done
Tracked by #12
EjiroLaurelD opened this issue Oct 21, 2023 · 4 comments
Closed
8 tasks done
Tracked by #12

[security] audit repository tooling #52

EjiroLaurelD opened this issue Oct 21, 2023 · 4 comments
Assignees
@codeboten

Comments

@EjiroLaurelD
Copy link

EjiroLaurelD commented Oct 21, 2023
edited by codeboten
Loading

Hello,
The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • CodeQL enabled via GitHub Actions
  • Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • Repository security settings
    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12
@codeboten codeboten mentioned this issue Oct 23, 2023
Open
68 tasks
@jaydeluca
Copy link
Member

Just a note, since there is no functional code in this repository, CodeQL will not apply (I tested what it would do and it results in the github action failing with the error CodeQL did not detect any code written in languages supported by CodeQL.). The same for Static code analysis.

@codeboten codeboten self-assigned this Sep 16, 2024
@codeboten codeboten self-assigned this Sep 16, 2024
codeboten added a commit to codeboten/opentelemetry-configuration that referenced this issue Sep 16, 2024
@codeboten
add codeql workflow
08c0f8c 
This will validate changes to the code in this repo. Part of open-telemetry#52

Signed-off-by: Alex Boten <[email protected]>
@codeboten codeboten mentioned this issue Sep 16, 2024
Merged
codeboten added a commit that referenced this issue Sep 17, 2024
@codeboten
add codeql workflow (#123)
76129f4 
This will validate changes to the code in this repo. Part of #52

Signed-off-by: Alex Boten <[email protected]>
@codeboten codeboten mentioned this issue Sep 19, 2024
Closed
@tsloughter
Copy link
Member

I thought most Otel repos has moved to renovate from dependabot? Can either be used?

codeboten added a commit to codeboten/opentelemetry-configuration that referenced this issue Sep 19, 2024
@codeboten
chore: add govulncheck check for validator
8117836 
This addresses one of the items in the checklist for open-telemetry#52

Signed-off-by: Alex Boten <[email protected]>
@codeboten codeboten mentioned this issue Sep 19, 2024
Merged
@codeboten
Copy link
Contributor

I thought most Otel repos has moved to renovate from dependabot? Can either be used?

This is true for dependency management, dependabot is still used for security alerts though

codeboten added a commit that referenced this issue Sep 25, 2024
@codeboten
chore: add govulncheck check for validator (#126)
f27d8d9 
This addresses one of the items in the checklist for #52
---------

Signed-off-by: Alex Boten <[email protected]>
@codeboten
Copy link
Contributor

The last item (govulncheck) was addressed, marking this issue closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codeboten codeboten

Labels
None yet
Projects
Declarative Configuration Stability
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tsloughter @codeboten @jaydeluca @EjiroLaurelD