Open bryan-aguilar opened 1 year ago
Aneurysm9
commented
1 year ago Petition for a maintainer+securityAdvisory role to be created in the opentelemetry organization.
GitHub has recently made this a non-issue by granting this access to everyone with write access to a repository.
jvoravong
commented
1 year ago Hey community, I likely will be adding Trivy scanning in a downstream project I contribute to. I could contribute my changes upstream (here) instead for adding Trivy scanning. If adding Trivy scanning is desired by the code owners, please assign me this task or a new associated task for this.
Side Note for @bryan-aguilar Trivy, This chart is indexed in https://artifacthub.io/packages/helm/opentelemetry-helm/opentelemetry-operator. From artifacthub.io documentation, I believe they use Trivy to generate a the "SECURITY REPORT" on the opentelemetry-operator artifacthub.io page. Someone feel free to correct me if I am wrong here.
To provide the best experience for end users this repository should maintain a high security posture. CVEs should be responded to in a timely manner once notified or made public. Many end users also utilize image scanning tooling for insight on whether or not consumed artifacts are affected by CVEs. Examples of these tools are trivy or primza.
To provide the most secure artifacts for end users I propose that an additional automated artifact scanning tool should be evaluated. This scanning would be able to alert the maintainers, approvers, and the community on issues where existing solutions may not. These tools may also generate false positives, which is okay. Not all affected packages with known CVEs will be exploitable in this repository. These false positives are helpful though because their dependencies should still be updated when possible. End users may not have the expertise to correctly identify when a CVE alert is a false positive. Even when a false positive is identified, enterprise policies could dictate that packages must be updated to suppress the scanning alarms.
GitHub already provides a base layer of security with the implementation of Codeql scanning and Dependabot security alerts. I believe this is a good start and should be leveraged completely. CodeQL is already implemented in this repository and I believe dependabot security scanning is enabled also.
Based on conversations with maintainers of OTel repositories I do not believe an organization role exists give access to dependeabot security advisors to maintainers. This is still limited to organizational admins. GitHub provides the ability to create a custom role that would allows maintainers to access dependabot security advisories. I do not believe there is a good reason to keep this information obscured. There is nothing stopping me from forking this repository and enabling security scanning on my fork. I would see the same information.
The summary of my two proposals:
maintainer+securityAdvisoryrole to be created in theopentelemetryorganization.