search

open-telemetry / opentelemetry-specification

Specifications for OpenTelemetry
https://opentelemetry.io
Apache License 2.0
3.75k stars 889 forks source link

Security requirements for GA #1333

Open andrewhsu opened 3 years ago

andrewhsu commented 3 years ago

High-level tracking issue for security requirements for OTel GA

I suggest this issue be marked as required-for-ga and the eventual owner update the description if necessary

alolita commented 3 years ago

In order to support security vulnerability scans in the SIG repos for languages and Collector, the following security vulnerability scanning GitHub Actions workflows have been enabled so far.

  1. CodeQL scan - Completed GHA workflows (merged) for the following SIG repos:

  2. GoSec scan: GHA workflows enabling GoSec scans to be run have been completed and merged for the following repos -

Note: GHA workflows were submitted but closed for the Collector and collector-contrib since GoSec is already enabled for the Collector and Collector-contrib repos.

  1. Security policy: @alolita will track work on security guidelines/policy in another issue.
alolita commented 3 years ago

Picking back up on this issue, we're adding further security vulnerabilities scanning using CodeQL and GoSec to the rest of the OpenTelemetry code repos. We also see the dotNet repo added a CodeQL scan using GitHub Actions in PR https://github.com/open-telemetry/opentelemetry-dotnet/pull/1324.

We are now adding CodeQL scans using GitHub Actions in the following repos:

We will also be adding GoSec scans to be run using GitHub Actions workflows in the following repos:

cc: @xukaren @KKelvinLo

arminru commented 3 years ago

Thank you for taking care of this, @alolita, @xukaren and @KKelvinLo!