Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] audit repository tooling #71

Open
4 of 8 tasks
Tracked by #12
EjiroLaurelD opened this issue Oct 22, 2023 · 2 comments
Open
4 of 8 tasks
Tracked by #12

[security] audit repository tooling #71

EjiroLaurelD opened this issue Oct 22, 2023 · 2 comments

Comments

@EjiroLaurelD
Copy link
Contributor

EjiroLaurelD commented Oct 22, 2023

Hello,
The Security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

  • CodeQL enabled via GitHub Actions
  • Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
  • Repository security settings
    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Parent issue: #12

@trask
Copy link
Member

trask commented Oct 24, 2023

hi @EjiroLaurelD!

I verified these are enabled on the repository:

  • Private vulnerability reporting
  • Dependabot alerts

There's not much code in this repository (a few scripts and github actions), so I suspect that the others may not apply.

@EjiroLaurelD
Copy link
Contributor Author

hi @EjiroLaurelD!

I verified these are enabled on the repository:

  • Private vulnerability reporting
  • Dependabot alerts

There's not much code in this repository (a few scripts and github actions), so I suspect that the others may not apply.

Thank you for your response

@trask trask transferred this issue from open-telemetry/community Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants