Opentelemetry-specification: Security requirements for GA
High-level tracking issue for security requirements for OTel GA
- Security vuln scans in language SIG repos
- related issue https://github.com/open-telemetry/oteps/issues/144
- Security policy
- Other items to track?
I suggest this issue be marked as required-for-ga and the eventual owner update the description if necessary
andrewhsu
All 3 comments
In order to support security vulnerability scans in the SIG repos for languages and Collector, the following security vulnerability scanning GitHub Actions workflows have been enabled so far.
- CodeQL scan - Completed GHA workflows (merged) for the following SIG repos:
- Collector: https://github.com/open-telemetry/opentelemetry-collector/pull/2325
- Collector-contrib: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/1922
- Go: https://github.com/open-telemetry/opentelemetry-go/pull/1428
- Go-contrib: https://github.com/open-telemetry/opentelemetry-go-contrib/pull/506
- JavaScript: https://github.com/open-telemetry/opentelemetry-js/pull/1785
- JavaScript-contrib: https://github.com/open-telemetry/opentelemetry-js-contrib/pull/298
- Java: https://github.com/open-telemetry/opentelemetry-java/pull/2416
- Java-instrumentation: https://github.com/open-telemetry/opentelemetry-java-instrumentation/pull/1971
- Python: https://github.com/open-telemetry/opentelemetry-python/pull/1505
- Python-contrib: https://github.com/open-telemetry/opentelemetry-python-contrib/pull/277
.Net-contrib: https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/55
GoSec scan: GHA workflows enabling GoSec scans to be run have been completed and merged for the following repos -
- Go: https://github.com/open-telemetry/opentelemetry-go/pull/1429
- Go-contrib: https://github.com/open-telemetry/opentelemetry-go-contrib/pull/507
Note: GHA workflows were submitted but closed for the Collector and collector-contrib since GoSec is already enabled for the Collector and Collector-contrib repos.
- Collector: https://github.com/open-telemetry/opentelemetry-collector/pull/2326 (closed)
- Collector-contrib: https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/1923
- Security policy: @alolita will track work on security guidelines/policy in another issue.
alolita
on 19 Jan 2021
Picking back up on this issue, we're adding further security vulnerabilities scanning using CodeQL and GoSec to the rest of the OpenTelemetry code repos. We also see the dotNet repo added a CodeQL scan using GitHub Actions in PR https://github.com/open-telemetry/opentelemetry-dotnet/pull/1324.
We are now adding CodeQL scans using GitHub Actions in the following repos:
- collector-builder
- cpp
- cpp-contrib
- dotnet-instrumentation
- java-contrib
- JS-API
- lambda
- log-collection
- operator
We will also be adding GoSec scans to be run using GitHub Actions workflows in the following repos:
- collector-builder
- lambda
- log-collection
- operator
cc: @xukaren @KKelvinLo
alolita
on 18 May 2021
Thank you for taking care of this, @alolita, @xukaren and @KKelvinLo!
arminru
on 19 May 2021
Related issues
bogdandrutu
路
4Comments
naseemkullah
路
5Comments
yurishkuro
路
5Comments
z1c0
路
5Comments
Oberon00
路
4Comments
Most helpful comment
Picking back up on this issue, we're adding further security vulnerabilities scanning using CodeQL and GoSec to the rest of the OpenTelemetry code repos. We also see the dotNet repo added a CodeQL scan using GitHub Actions in PR https://github.com/open-telemetry/opentelemetry-dotnet/pull/1324.
We are now adding CodeQL scans using GitHub Actions in the following repos:
We will also be adding GoSec scans to be run using GitHub Actions workflows in the following repos:
cc: @xukaren @KKelvinLo