-
Notifications
You must be signed in to change notification settings - Fork 41
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for adding this.
Just a minor note on the changelog format.
Shouldn't this check be also perform for all PR builds? |
Co-authored-by: Daniel Jaglowski <jaglows3@gmail.com>
I wasn't sure, since the CodeQL / GoSec Actions in most other repos, including Go, Java, Javascript, Python were only using a cron job. The Collector switched over from a cron job to on committing to main. I haven't seen any examples of running on every PR, but that seems like a good check as well. Which triggers would the approvers of this repo prefer? |
Thanks, I'd certainly prefer this to be PR triggered so that we detect immediately if an issue is being introduced. |
Can we do on PR and recurring against main branch? Detecting known issues before they are merged is ideal, however, I think it could be possible for issues to be added to the detection engine after merge to main. |
Added. How should the GoSec scan errors in the CI be addressed? |
@xukaren, I'll make a PR to your branch. |
I'm merging this, including the |
Motivation
Follow up to issue open-telemetry/oteps#144
GoSec is a static analysis engine which scans go source code for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities so we can ensure every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.
Changes
This PR adds GoSec security checks to the repo
Workflow Triggers
cc @alolita