openzipkin / brave

Java distributed tracing implementation compatible with Zipkin backend services.
Apache License 2.0
2.36k stars 713 forks source link

Adds SECURITY.md and scanning workflow #1437

Closed codefromthecrypt closed 7 months ago

codefromthecrypt commented 7 months ago

This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them).

This is the same approach as approved and merged in https://github.com/openzipkin/zipkin-reporter-java/pull/267