search

open-telemetry / sig-security

Apache License 2.0
7 stars 10 forks source link

Investigate Allstar for monitoring organization-wide policies #21

Open codeboten opened 1 year ago

codeboten commented 1 year ago 
          We should consider [Allstar](https://github.com/ossf/allstar) for monitoring [organization-wide policies](https://github.com/ossf/allstar#org-level-options). The [quickstart](https://github.com/ossf/allstar#quickstart-installation) may meet our needs

Originally posted by @JonZeolla in https://github.com/open-telemetry/sig-security/issues/12#issuecomment-1699457358

codeboten commented 1 year ago

In issue open-telemetry/community#12, i proposed the following checklist to audit all the organization's repositories:

  • [ ] CodeQL enabled via GitHub Actions
  • [ ] Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build
  • [ ] Repository security settings
    • [ ] Security Policy ✅
    • [ ] Security advisories ✅
    • [ ] Private vulnerability reporting ✅
    • [ ] Dependabot alerts ✅
    • [ ] Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

oly-baby commented 1 year ago

Good day,

pls can i work on this

jpkrohling commented 1 year ago

Hi @oly-baby, sure! Please take a look at a comment I left here: https://github.com/open-telemetry/sig-security/issues/12#issuecomment-1748630636

Davidlred commented 1 year ago

@codeboten could you please throw more light on the checklist you made, is the job description just to check what can be done, also how complex should the documentation be?

jpkrohling commented 1 year ago

@Davidlred, the checklist is a simple "yes, the item is present in the repository" or "no, there's no usage of the proposed tool". No further documentation is needed other than checking whether the items are being used.

Davidlred commented 1 year ago

Thank you for the clarification. i really appreciate

On Thu, 5 Oct 2023 at 14:28, Juraci Paixão Kröhling < @.***> wrote:

@Davidlred https://github.com/Davidlred, the checklist is a simple "yes, the item is present in the repository" or "no, there's no usage of the proposed tool". No further documentation is needed other than checking whether the items are being used.

— Reply to this email directly, view it on GitHub https://github.com/open-telemetry/sig-security/issues/21#issuecomment-1748901771, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZN2FISKXM4AQKD7PXYDQY3X52YY3AVCNFSM6AAAAAA5S2TN66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBYHEYDCNZXGE . You are receiving this because you were mentioned.Message ID: @.***>

EjiroLaurelD commented 1 year ago

In issue open-telemetry/community#12, i proposed the following checklist to audit all the organization's repositories:

  • [ ] CodeQL enabled via GitHub Actions
  • [ ] Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build

  • [ ] Repository security settings

    • [ ] Security Policy ✅
    • [ ] Security advisories ✅
    • [ ] Private vulnerability reporting ✅
    • [ ] Dependabot alerts ✅
    • [ ] Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

I have determined what Allstar can cover using the checklist that was provided, the steps to enable allstar has also been proposed using the quick start (I did a test run on my github to be sure how it works). I created issues on some repositories using the checklist, checking and confirming from maintainers what is enabled on the repo. I have gotten responses from these two repos so far community and Helm-charts The usage of allstar in the security-sig repository has been documented here

Twhite2 commented 1 year ago

In line with the requirements of this issue, and using the checklist provided. I've been able to gather information through simple testing along with studying the reviews of the different documentation. I've been able to compile a detailed report on the use of Allstar, including how to get started HERE.

sakshi-1505 commented 11 months ago

/assign

codeboten commented 11 months ago

Assigned, thanks @sakshi-1505!