Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] audit repository tooling #1131

Open
3 of 8 tasks
Tracked by #12
sakshi-1505 opened this issue Oct 22, 2023 · 4 comments
Open
3 of 8 tasks
Tracked by #12

[security] audit repository tooling #1131

sakshi-1505 opened this issue Oct 22, 2023 · 4 comments
Assignees
Labels
stale This issue didn't have recent activity

Comments

@sakshi-1505
Copy link

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • CodeQL enabled via GitHub Actions
  • Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • Repository security settings
    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Parent issue: open-telemetry/sig-security#12

@sakshi-1505
Copy link
Author

@brettmc Please confirm if the dependabot alerts & scanning alerts are present. I don't see CodeQL configured & any vulnerability static checker configured in CI, do you mind if I take over the tasks of adding codeQL & Staticcode checker for php?

@sakshi-1505
Copy link
Author

/assign

@brettmc
Copy link
Collaborator

brettmc commented Oct 22, 2023

Hi @sakshi-1505 it's all yours to see what you can do.

We have a few static code analysis tools already running as part of CI: psalm, phan, phpstan. You should check whether those already provide adequate security scanning, and by all means go and research other options to see if any can provide additional value.

It doesn't look like CodeQL supports PHP yet, so that's a non-starter.

Copy link

stale bot commented Mar 17, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale This issue didn't have recent activity label Mar 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale This issue didn't have recent activity
Projects
None yet
Development

No branches or pull requests

2 participants