Proposal: Enable security vulnerability scans on OTel repos #144
Comments
andrewhsu
added
the
release:allowed-for-ga
|
Hey all, we got our first CodeQL security alert! (https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/code-scanning/1) But we didn't notice it for several days, because it didn't generate any notifications (@anuraaga just happened to go looking for it today). Does anyone know what we need to make it generate notifications? Thanks! |
|
Please assign @xukaren and @KKelvinLo to this issue too - since they're adding the security workflows for the rest of the OpenTelemetry code repos. See open-telemetry/opentelemetry-specification#1333 for additional detail. |
|
Thank you for taking care of this, @alolita, @xukaren and @KKelvinLo! |
|
@alolita Should we close this issue in favor of open-telemetry/opentelemetry-specification#1333 and keep track of the progress there? |
Motivation
The OpenTelemetry code repos should have security vulnerability scanning enabled by default. This can be done with a GitHub Actions workflow where a freely available security scan tool - CodeQL can be triggered on a daily basis. Running such a scan would increase trust in the code quality for the project - developer trust in providing more information about security gaps that need to be addressed (e.g. dependency updates that may need to be done) as well as customer trust in using OTel code in production.
Explanation
GitHub provides a CodeQL action workflow that can be enabled on any and all repos. See https://github.com/github/codeql-action. CodeQL automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of queries (https://github.com/github/codeql), which have been developed by the community and the GitHub Security Lab (https://securitylab.github.com/) to find known vulnerabilities in your code.
Internal details
This proposal will not make blocking changes to any code, but instead will provide recommendations for how security of the code can be improved. The current development flow will not be affected as these will not be a part of the CI. These security scans will be run overnight daily as a GitHub workflow in order to consistently check for security vulnerabilities, and the results will be available under the “security” tab within each individual repo.
Trade-offs and mitigations
There are no trade-offs with this proposal, it is simply to shed light upon security recommendations. Enabling this workflow is a win-win for the developer and the customer.
Prior art and alternatives
Other security scanners such as Veracode and SonarQube also exist, however CodeQL is free, and easy to set up as a GitHub Workflow.
Future possibilities
More workflows can be added as well for security scanning. For example, we can add GoSec for the Go-based projects (ie. Collector, Go SDK, Go-Contrib). If there are popular scanning tools used for other languages, please feel free to add to this thread.
cc: @amanbrar1999 @AzfaarQureshi @shovnik
The text was updated successfully, but these errors were encountered: