Audit repositories for security tools

[codeboten]

Get a questionnaire to SIGs in the org asking them what tools are enabled in their repos:

• [ ] open-telemetry/.github
• [ ] open-telemetry/assign-reviewers-action
• [ ] https://github.com/open-telemetry/build-tools/issues/212
• [ ] https://github.com/open-telemetry/sig-security/issues/71
• [ ] open-telemetry/docs-cn
• [ ] open-telemetry/docs-ja
• [ ] https://github.com/open-telemetry/opamp-go/issues/208
• [ ] https://github.com/open-telemetry/opamp-java/issues/9
• [ ] open-telemetry/opamp-spec
• [ ] https://github.com/open-telemetry/opentelemetry-android/issues/126
• [x] open-telemetry/opentelemetry-collector
• [ ] open-telemetry/opentelemetry-collector-builder
• [x] open-telemetry/opentelemetry-collector-contrib
• [ ] https://github.com/open-telemetry/opentelemetry-collector-releases/issues/418
• [x] https://github.com/open-telemetry/opentelemetry-configuration/issues/52
• [ ] https://github.com/open-telemetry/opentelemetry-cpp/issues/2282
• [ ] open-telemetry/opentelemetry-cpp-contrib
• [ ] https://github.com/open-telemetry/opentelemetry-demo/issues/1073
• [ ] https://github.com/open-telemetry/opentelemetry-dotnet/issues/4817
• [ ] open-telemetry/opentelemetry-dotnet-contrib
• [ ] open-telemetry/opentelemetry-dotnet-instrumentation
• [ ] https://github.com/open-telemetry/opentelemetry-ebpf/issues/236
• [ ] open-telemetry/opentelemetry-ebpf-build-tools
• [ ] open-telemetry/opentelemetry-erlang
• [ ] open-telemetry/opentelemetry-erlang-api
• [ ] open-telemetry/opentelemetry-erlang-contrib
• [x] https://github.com/open-telemetry/opentelemetry-go/issues/4459
• [x] https://github.com/open-telemetry/opentelemetry-go-build-tools/issues/390
• [x] https://github.com/open-telemetry/opentelemetry-go-contrib/issues/4413
• [ ] https://github.com/open-telemetry/opentelemetry-go-instrumentation/issues/407
• [ ] https://github.com/open-telemetry/opentelemetry-go-vanityurls/issues/19
• [ ] https://github.com/open-telemetry/opentelemetry-helm-charts/issues/930
• [x] https://github.com/open-telemetry/opentelemetry-java/issues/5745
• [ ] open-telemetry/opentelemetry-java-contrib
• [ ] open-telemetry/opentelemetry-java-examples
• [ ] open-telemetry/opentelemetry-java-instrumentation
• [ ] https://github.com/open-telemetry/opentelemetry-js/issues/4101
• [x] open-telemetry/opentelemetry-js-api
• [ ] https://github.com/open-telemetry/opentelemetry-js-contrib/issues/1751
• [x] https://github.com/open-telemetry/opentelemetry-lambda/issues/862
• [ ] open-telemetry/opentelemetry-log-collection
• [ ] open-telemetry/opentelemetry-operator
• [ ] https://github.com/open-telemetry/opentelemetry-php/issues/1131
• [ ] open-telemetry/opentelemetry-php-contrib
• [ ] open-telemetry/opentelemetry-php-instrumentation
• [ ] open-telemetry/opentelemetry-profiling
• [ ] open-telemetry/opentelemetry-proto
• [ ] https://github.com/open-telemetry/opentelemetry-proto-go/issues/139
• [ ] open-telemetry/opentelemetry-proto-java
• [ ] open-telemetry/opentelemetry-proto-profile
• [x] https://github.com/open-telemetry/opentelemetry-python/issues/3467
• [x] https://github.com/open-telemetry/opentelemetry-python-contrib/issues/1991
• [x] https://github.com/open-telemetry/opentelemetry-ruby/issues/1519
• [ ] open-telemetry/opentelemetry-ruby-contrib
• [ ] open-telemetry/opentelemetry-rust
• [ ] open-telemetry/opentelemetry-sandbox-web-js
• [ ] open-telemetry/opentelemetry-specification
• [ ] open-telemetry/opentelemetry-sqlcommenter
• [ ] open-telemetry/opentelemetry-swift
• [ ] https://github.com/open-telemetry/opentelemetry.io/issues/3212
• [ ] open-telemetry/otel-arrow
• [ ] open-telemetry/otel-arrow-collector
• [ ] open-telemetry/oteps
• [ ] open-telemetry/semantic-conventions
• [ ] open-telemetry/semantic-conventions-java
• [ ] open-telemetry/sig-security
• [ ] open-telemetry/stackoverflow2slack
• [ ] https://github.com/open-telemetry/wg-prometheus/issues/74

[codeboten]

Start this by documenting what's enabled in the collector repository and producing a form from it

[codeboten]

The following tools are configured for the OpenTelemetry Collector repository:

• [x] CodeQL enabled via GitHub Actions
• [x] Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build
• [x] Repository security settings
  • [x] Security Policy ✅
  • [x] Security advisories ✅
  • [x] Private vulnerability reporting ✅
  • [x] Dependabot alerts ✅
  • [x] Code scanning alerts ✅

[codeboten]

Confirmed the same is configured for the OpenTelemetry Collector Contrib repository

[JonZeolla]

We should consider Allstar for monitoring organization-wide policies. The quickstart may meet our needs

[svrnm]

+1 for Allstar

[oly-baby]

GOOD DAY,

I AM AN OUTREACH APPLICANT, CAN I WORK ON THIS

[jpkrohling]

@oly-baby, welcome! Sure, feel free to pick one of the repositories from the list (see the issue description), create an issue on the repository to track the work, and write a report similar to @codeboten's one (a few comments up, here: https://github.com/open-telemetry/sig-security/issues/12#issuecomment-1681251485).

[Davidlred]

Hello guys, i'm an Outreachy applicant, and i'd like to work on one of the issue.

how do i take off ?

[jpkrohling]

@Davidlred, see my previous comment. I'd recommend leaving a comment on the issue you pick, stating that you are working on it. If you need ideas for other tasks, join the #otel-sig-security channel on the CNCF Slack.

[sakshi-1505]

Hello @jpkrohling , I am picking up one of the issue from the above list.

[sakshi-1505]

We can use the following tracking issue for opentelemetry-python: https://github.com/open-telemetry/opentelemetry-python/issues/3467

[sakshi-1505]

We can use the following tracking issue for build-tools: https://github.com/open-telemetry/build-tools/issues/212

[sakshi-1505]

We can use the following tracking issue for opentelemetry-python-contrib: https://github.com/open-telemetry/opentelemetry-python-contrib/issues/1991

[arademm]

Hello, I'm an Outreachy applicant. I would love to contribute to this project.

[jpkrohling]

@arademm, see my previous comment. I'd recommend leaving a comment on the issue you pick, stating that you are working on it. If you need ideas for other tasks, join the #otel-sig-security channel on the CNCF Slack.

[pichlermarc]

The open-telemetry/opentelemetry-js-api entry can be checked on the list - it's an archived repository, the package that was hosted there was integrated in to https://github.com/open-telemetry/opentelemetry-js :slightly_smiling_face: