Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security requirements for GA #1333

Open
andrewhsu opened this issue Jan 12, 2021 · 3 comments
Open

Security requirements for GA #1333

andrewhsu opened this issue Jan 12, 2021 · 3 comments
Assignees
@alolita @kxyr @KKelvinLo
Labels
area:ga-tracking Tracking high level items for GA release:required-for-ga Must be resolved before GA release, or nice to have before GA

Comments

@andrewhsu
Copy link
Member

High-level tracking issue for security requirements for OTel GA

I suggest this issue be marked as required-for-ga and the eventual owner update the description if necessary
@andrewhsu andrewhsu added the area:ga-tracking Tracking high level items for GA label Jan 12, 2021
@andrewhsu andrewhsu added the release:required-for-ga Must be resolved before GA release, or nice to have before GA label Jan 19, 2021
@alolita
Copy link
Member

alolita commented Jan 19, 2021

In order to support security vulnerability scans in the SIG repos for languages and Collector, the following security vulnerability scanning GitHub Actions workflows have been enabled so far.

  1. CodeQL scan - Completed GHA workflows (merged) for the following SIG repos:
  1. GoSec scan: GHA workflows enabling GoSec scans to be run have been completed and merged for the following repos -

Note: GHA workflows were submitted but closed for the Collector and collector-contrib since GoSec is already enabled for the Collector and Collector-contrib repos.

  1. Security policy: @alolita will track work on security guidelines/policy in another issue.

@alolita
Copy link
Member

alolita commented May 18, 2021
edited by arminru
Loading

Picking back up on this issue, we're adding further security vulnerabilities scanning using CodeQL and GoSec to the rest of the OpenTelemetry code repos. We also see the dotNet repo added a CodeQL scan using GitHub Actions in PR open-telemetry/opentelemetry-dotnet#1324.

We are now adding CodeQL scans using GitHub Actions in the following repos:

  • collector-builder
  • cpp
  • cpp-contrib
  • dotnet-instrumentation
  • java-contrib
  • JS-API
  • lambda
  • log-collection
  • operator

We will also be adding GoSec scans to be run using GitHub Actions workflows in the following repos:

  • collector-builder
  • lambda
  • log-collection
  • operator

cc: @xukaren @KKelvinLo

@alolita alolita mentioned this issue May 18, 2021
Closed
@arminru
Copy link
Member

arminru commented May 19, 2021

Thank you for taking care of this, @alolita, @xukaren and @KKelvinLo!

This was referenced May 21, 2021
Open
Closed
This was referenced May 21, 2021
Open
Closed
Closed
@arminru arminru mentioned this issue May 27, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alolita alolita

@kxyr kxyr

@KKelvinLo KKelvinLo

Labels
area:ga-tracking Tracking high level items for GA release:required-for-ga Must be resolved before GA release, or nice to have before GA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@andrewhsu @alolita @arminru @kxyr @KKelvinLo