forked from open-telemetry/sig-security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b291149
commit a39de92
Showing
1 changed file
with
31 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| ## SIG Security's use of Allstar for the OpenTelemetry project | ||
|
|
||
| [Allstar](https://openssf.org/blog/2021/08/11/introducing-the-allstar-github-app/) is a security policy engine that helps organizations automate and enforce security best practices. It can be used to scan code, dependencies, and infrastructure for vulnerabilities. It can also be used to enforce best practices for code reviews, security testing, and vulnerability management. | ||
|
|
||
| SIG Security uses Allstar to improve and enforce security best practices for the OpenTelemetry(OTEL) project.This includes; | ||
| - Scanning code, dependencies, and infrastructure for vulnerabilities. | ||
| - Enforcing best practices for code reviews. | ||
| - Security testing, and vulnerability management. | ||
| - Branch protection. | ||
|
|
||
| ### Examples of some use cases | ||
| Here are some specific examples of how SIG Security members use Allstar: | ||
| - Scan all code changes before they are merged into the main branch to identify and fix security vulnerabilities early on. | ||
| - Enforce a security policy for all repositories to ensure that all repositories have basic security measures in place, such as a security policy and enabled security advisories. | ||
| - Scan all dependencies for vulnerabilities to identify and fix vulnerabilities in dependencies before they are used. | ||
| - Configure branch protection to prevent unauthorized changes to code branches. | ||
| - Security testing: This helps to ensure that all code is tested for security vulnerabilities before it is released. | ||
| - Code review requirements: This helps to ensure that all code is reviewed by other developers before it is merged into the main branch. | ||
|
|
||
|
|
||
| ## Benefits of using Allstar | ||
|
|
||
| There are a number of benefits to using Allstar for the OTEL project, including: | ||
|
|
||
| - **Reduced workload for security team**: Allstar can automate many of the tasks that the security team would otherwise have to do manually, such as scanning code and dependencies for vulnerabilities and enforcing security policies. This frees up the security team to focus on other tasks, such as investigating and responding to security incidents. | ||
| - **Improved security posture**: By enforcing security best practices and identifying security vulnerabilities early on, Allstar helps SIG Security to improve the overall security posture of the OpenTelemetry project. | ||
| - **Increased confidence in the security of the OTEL project**: By using Allstar, SIG Security can be more confident that the OpenTelemetry project is secure. This can give users and contributors more confidence in the project and make them more likely to use it. | ||
|
|
||
|
|
||
| Overall, Allstar is a powerful tool that helps the SIG Security team to improve the security of the OpenTelemetry project in a number of ways. SIG Security encourages all members to use Allstar to help improve the security of the OTEL project. | ||
|
|