Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] audit repository tooling #4459

Closed
8 tasks done
Tracked by #12
codeboten opened this issue Aug 21, 2023 · 10 comments
Closed
8 tasks done
Tracked by #12

[security] audit repository tooling #4459

codeboten opened this issue Aug 21, 2023 · 10 comments
Assignees
@sakshi-1505
Milestone
v1.20.0

Comments

@codeboten
Copy link
Contributor

codeboten commented Aug 21, 2023
edited by pellared
Loading

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • CodeQL enabled via GitHub Actions
  • Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • Repository security settings
    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12
@codeboten codeboten mentioned this issue Aug 21, 2023
Open
68 tasks
@MadVikingGod
Copy link
Contributor

Our current CodeQL is schedule to run at 1:30am every day, where the collector runs on pushes to main, and PRs. Should we update it?

@codeboten
Copy link
Contributor Author

The recommendation is to run it on push to main and on PRs open-telemetry/sig-security#15

This was referenced Sep 21, 2023
Closed
Merged
@pellared
Copy link
Member

I think we can also use this issue to adopt the same tooling/automation in https://github.com/open-telemetry/opentelemetry-go-contrib

@pellared pellared mentioned this issue Sep 21, 2023
Merged
@sakshi-1505
Copy link
Contributor

sakshi-1505 commented Oct 8, 2023
edited
Loading

Hello Team, I think we have already added codeQL. On the staticcheck front, please allow me to suggest golangcilint or staticcheck(https://staticcheck.io/docs/getting-started/), this is one of the most verbose & efficient staticcode checker as well a vulnerability analyser I have worked with. I can open a draftPR with it's integration if we are all on same page @pellared @MadVikingGod

@sakshi-1505 sakshi-1505 mentioned this issue Oct 8, 2023
Closed
@pellared
Copy link
Member

pellared commented Oct 9, 2023
edited
Loading

@sakshi-1505, we want to use govulncheck. See: https://pkg.go.dev/golang.org/x/vuln

@sakshi-1505
Copy link
Contributor

Thanks @pellared for the update, I will open a PR for this.

@sakshi-1505
Copy link
Contributor

/assign

@pellared
Copy link
Member

pellared commented Oct 9, 2023

Please check how other tools are versioned, installed and used via Makefile and internal/tools Go module.

@sakshi-1505 sakshi-1505 mentioned this issue Oct 9, 2023
Merged
@dashpole dashpole mentioned this issue Oct 9, 2023
Closed
8 tasks
@sakshi-1505
Copy link
Contributor

@pellared @codeboten We can close this issue now, we are all green!

@pellared
Copy link
Member

I think we can also use this issue to adopt the same tooling/automation in https://github.com/open-telemetry/opentelemetry-go-contrib

open-telemetry/opentelemetry-go-contrib#4413 is created.

Closing this issue.

@MrAlias MrAlias added this to the v1.20.0 milestone Oct 30, 2023
@jpkrohling jpkrohling mentioned this issue Feb 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sakshi-1505 sakshi-1505

Labels
None yet
Projects
None yet
Milestone
v1.20.0
Development

No branches or pull requests
5 participants
@codeboten @MadVikingGod @pellared @MrAlias @sakshi-1505