[security] audit repository tooling

[EjiroLaurelD]

The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• CodeQL enabled via GitHub Actions
• Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• Repository security settings
  • Security Policy ✅
  • Security advisories ✅
  • Private vulnerability reporting ✅
  • Dependabot alerts ✅
  • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

[EjiroLaurelD]

Hello @dmitryax @TylerHelmuth
Please confirm if the items on the check list above are enabled/configured for the repo as I do not have access to see some of them.
Thank you.
cc @codeboten

[TylerHelmuth]

@EjiroLaurelD @codeboten we have no code in this repo. Do the first 2 tasks apply to this repository?

[TylerHelmuth]

Private vulnerability reporting is enabled.

Dependabot alerts are disabled and I do not have permission to update them. We do currently use dependabot to update github actions. I believe we'd need the TC to make changes.

Code scanning alerts are disabled. As mentioned before, this repo does not have code to scan.

[EjiroLaurelD]

@EjiroLaurelD @codeboten we have no code in this repo. Do the first 2 tasks apply to this repository?

The repo has Helm charts in it. As a suggestion, we can use Aqua Trivy as a static code analysis tool for the repo.

[TylerHelmuth]

I am not familiar with that tool. Is it testing that the helm chart is installable? If so, we are using chart-testing for that.

Is it testing whether or not the thing the helm chart installs has security issues? If it is, then would that produce duplicate security warnings since the applications we deploy are OpenTelemetry applications that would trigger security alerts in their own repos?

[EjiroLaurelD]

I am not very familiar with the tool myself but I have seen it used on a few Iac projects online.
This is what I found out about Aqua Trivy upon investigating its usecase for Helm Charts.

I found that Trivy can be used to test whether a Helm chart is installable, but it is not primarily a testing tool. It is a security scanning tool that is used mainly in development to scan the Helm Charts for security vulnerabilities, misconfigurations and secrets without executing the chart.

Yes it may produce duplicate security warnings for the OpenTelemetry applications, but this can be reduced if Trivy is configured to ignore certain types of warnings. For example, it can be configured to ignore warnings for known vulnerabilities that have already been patched in the OpenTelemetry applications.

Another way to reduce the number of duplicate security warnings is to integrate Trivy with the CI/CD pipeline. This will allow to run Trivy scans on Helm charts as part of the build process. The CI/CD pipeline can then be configured to only fail the build if Trivy finds new security vulnerabilities that have not already been patched in the OpenTelemetry applications.

I hope this helps