[security] audit repository tooling

[sakshi-1505]

The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:

• [ ] CodeQL enabled via GitHub Actions
• [ ] Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
• [x] Repository security settings
  • [x] Security Policy ✅
  • [x] Security advisories ✅
  • [ ] Private vulnerability reporting ✅
  • [ ] Dependabot alerts ✅
  • [ ] Code scanning alerts ✅

Parent issue: https://github.com/open-telemetry/sig-security/issues/12

[sakshi-1505]

@brettmc Please confirm if the dependabot alerts & scanning alerts are present. I don't see CodeQL configured & any vulnerability static checker configured in CI, do you mind if I take over the tasks of adding codeQL & Staticcode checker for php?

[sakshi-1505]

/assign

[brettmc]

Hi @sakshi-1505 it's all yours to see what you can do.

We have a few static code analysis tools already running as part of CI: psalm, phan, phpstan. You should check whether those already provide adequate security scanning, and by all means go and research other options to see if any can provide additional value.

It doesn't look like CodeQL supports PHP yet, so that's a non-starter.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.