[security] audit repository tooling #1991

sakshi-1505 · 2023-10-08T13:19:30Z

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

CodeQL enabled via GitHub Actions
Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
Repository security settings
- Security Policy ✅
- Security advisories ✅
- Private vulnerability reporting ✅
- Dependabot alerts ✅
- Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

sakshi-1505 · 2023-10-08T13:20:16Z

cc: @codeboten @lzchen

Please confirm if vulnerability reporting, dependabot alerts are configured for the repo as I don't have enough access to see those. I don't see us using any staticcode checker for Python, do you folks have any suggestion in mind for the same? I know we can use Mypy or Pylint.

lzchen · 2023-10-09T17:56:21Z

This repo follows the same security rules as the core repo so we can use the issue in the original repo to discuss.

sakshi-1505 mentioned this issue Oct 8, 2023

Audit repositories for security tools open-telemetry/sig-security#12

Open

68 tasks

lzchen closed this as completed Oct 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] audit repository tooling #1991

[security] audit repository tooling #1991

sakshi-1505 commented Oct 8, 2023 •

edited

Loading

sakshi-1505 commented Oct 8, 2023

lzchen commented Oct 9, 2023

[security] audit repository tooling #1991

[security] audit repository tooling #1991

Comments

sakshi-1505 commented Oct 8, 2023 • edited Loading

sakshi-1505 commented Oct 8, 2023

lzchen commented Oct 9, 2023

sakshi-1505 commented Oct 8, 2023 •

edited

Loading