[security] audit repository tooling #4413

sakshi-1505 · 2023-10-10T18:47:20Z

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

CodeQL enabled via GitHub Actions
Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
Repository security settings
- Security Policy ✅
- Security advisories ✅
- Private vulnerability reporting ✅
- Dependabot alerts ✅
- Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

sakshi-1505 · 2023-10-10T18:48:11Z

@pellared Please confirm if we have dependant alerts enabled as well as vulnerability reporting for the repo.

sakshi-1505 · 2023-10-10T18:48:37Z

/assign

pellared assigned sakshi-1505 Oct 10, 2023

pellared mentioned this issue Oct 10, 2023

[security] audit repository tooling open-telemetry/opentelemetry-go#4459

Closed

8 tasks

sakshi-1505 mentioned this issue Oct 12, 2023

[chore] add govulncheck #4417

Merged

pellared closed this as completed in #4417 Oct 19, 2023

This was referenced Oct 23, 2023

[security] audit repository tooling #4453

Closed

Audit repositories for security tools open-telemetry/sig-security#12

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] audit repository tooling #4413

[security] audit repository tooling #4413

sakshi-1505 commented Oct 10, 2023 •

edited

Loading

sakshi-1505 commented Oct 10, 2023

sakshi-1505 commented Oct 10, 2023

[security] audit repository tooling #4413

[security] audit repository tooling #4413

Comments

sakshi-1505 commented Oct 10, 2023 • edited Loading

sakshi-1505 commented Oct 10, 2023

sakshi-1505 commented Oct 10, 2023

sakshi-1505 commented Oct 10, 2023 •

edited

Loading