Skip to content
This repository has been archived by the owner on Dec 6, 2024. It is now read-only.

Proposal: Enable security vulnerability scans on OTel repos #144

Closed
alolita opened this issue Dec 30, 2020 · 5 comments
Closed

Proposal: Enable security vulnerability scans on OTel repos #144

alolita opened this issue Dec 30, 2020 · 5 comments
Assignees
Labels
release:allowed-for-ga Editorial changes that can still be added to the GA spec since they don't require action by SIGs

Comments

@alolita
Copy link
Member

alolita commented Dec 30, 2020

Motivation
The OpenTelemetry code repos should have security vulnerability scanning enabled by default. This can be done with a GitHub Actions workflow where a freely available security scan tool - CodeQL can be triggered on a daily basis. Running such a scan would increase trust in the code quality for the project - developer trust in providing more information about security gaps that need to be addressed (e.g. dependency updates that may need to be done) as well as customer trust in using OTel code in production.

Explanation
GitHub provides a CodeQL action workflow that can be enabled on any and all repos. See https://github.com/github/codeql-action. CodeQL automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of queries (https://github.com/github/codeql), which have been developed by the community and the GitHub Security Lab (https://securitylab.github.com/) to find known vulnerabilities in your code.

Internal details
This proposal will not make blocking changes to any code, but instead will provide recommendations for how security of the code can be improved. The current development flow will not be affected as these will not be a part of the CI. These security scans will be run overnight daily as a GitHub workflow in order to consistently check for security vulnerabilities, and the results will be available under the “security” tab within each individual repo.

Trade-offs and mitigations
There are no trade-offs with this proposal, it is simply to shed light upon security recommendations. Enabling this workflow is a win-win for the developer and the customer.

Prior art and alternatives
Other security scanners such as Veracode and SonarQube also exist, however CodeQL is free, and easy to set up as a GitHub Workflow.

Future possibilities
More workflows can be added as well for security scanning. For example, we can add GoSec for the Go-based projects (ie. Collector, Go SDK, Go-Contrib). If there are popular scanning tools used for other languages, please feel free to add to this thread.

cc: @amanbrar1999 @AzfaarQureshi @shovnik

@andrewhsu andrewhsu added the release:allowed-for-ga Editorial changes that can still be added to the GA spec since they don't require action by SIGs label Jan 5, 2021
@trask
Copy link
Member

trask commented Jan 14, 2021

Hey all, we got our first CodeQL security alert! (https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/code-scanning/1)

But we didn't notice it for several days, because it didn't generate any notifications (@anuraaga just happened to go looking for it today).

Does anyone know what we need to make it generate notifications?

Thanks!

@alolita
Copy link
Member Author

alolita commented May 18, 2021

Please assign @xukaren and @KKelvinLo to this issue too - since they're adding the security workflows for the rest of the OpenTelemetry code repos. See open-telemetry/opentelemetry-specification#1333 for additional detail.

@arminru
Copy link
Member

arminru commented May 19, 2021

Thank you for taking care of this, @alolita, @xukaren and @KKelvinLo!

@arminru
Copy link
Member

arminru commented May 19, 2021

@alolita Should we close this issue in favor of open-telemetry/opentelemetry-specification#1333 and keep track of the progress there?

@trask
Copy link
Member

trask commented Nov 19, 2024

Closing as stale

@trask trask closed this as completed Nov 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
release:allowed-for-ga Editorial changes that can still be added to the GA spec since they don't require action by SIGs
Projects
None yet
Development

No branches or pull requests

4 participants