Skip to content
This repository has been archived by the owner on May 25, 2022. It is now read-only.

Add GoSec Security Scan #154

Merged
merged 6 commits into from
May 21, 2021
Merged

Add GoSec Security Scan #154

merged 6 commits into from
May 21, 2021

Conversation

kxyr
Copy link

@kxyr kxyr commented May 20, 2021

Motivation

Follow up to issue open-telemetry/oteps#144

GoSec is a static analysis engine which scans go source code for security vulnerabilities. As the project grows and we near GA it might be useful to have a workflow which checks for security vulnerabilities so we can ensure every incremental change is following best development practices. Also passing basic security checks will also make sure that there aren't any glaring issues for our users.

Changes

This PR adds GoSec security checks to the repo

  • After every run the workflow uploads the results to GitHub. Details on the run and security alerts will show up in the security tab of this repo.

Workflow Triggers

  • daily cron job at 1:30am
  • workflow_dispatch (in case maintainers want to trigger a security check manually)

cc @alolita

@kxyr kxyr requested a review from a team May 20, 2021 01:03
djaglowski
djaglowski reviewed May 20, 2021
View reviewed changes
Copy link
Member

@djaglowski djaglowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding this.

Just a minor note on the changelog format.

CHANGELOG.md Show resolved Hide resolved
@tigrannajaryan
Copy link
Member

Shouldn't this check be also perform for all PR builds?

@xukaren @djaglowski
Update CHANGELOG.md
ee21ff6 
Co-authored-by: Daniel Jaglowski <[email protected]>
@kxyr
Copy link
Author

kxyr commented May 20, 2021
edited
Loading

Shouldn't this check be also perform for all PR builds?

I wasn't sure, since the CodeQL / GoSec Actions in most other repos, including Go, Java, Javascript, Python were only using a cron job. The Collector switched over from a cron job to on committing to main. I haven't seen any examples of running on every PR, but that seems like a good check as well. Which triggers would the approvers of this repo prefer?

@djaglowski
Copy link
Member

Which triggers would the approvers of this repo prefer?

Thanks, I'd certainly prefer this to be PR triggered so that we detect immediately if an issue is being introduced.

@jsirianni
Copy link
Member

Can we do on PR and recurring against main branch?

Detecting known issues before they are merged is ideal, however, I think it could be possible for issues to be added to the detection engine after merge to main.

@kxyr
Copy link
Author

kxyr commented May 20, 2021
edited
Loading

Added. How should the GoSec scan errors in the CI be addressed?

@kxyr kxyr mentioned this pull request May 20, 2021
Merged
@djaglowski
Copy link
Member

@xukaren, I'll make a PR to your branch.

@djaglowski djaglowski mentioned this pull request May 21, 2021
Merged
@djaglowski
Copy link
Member

@xukaren I decided to just extend your PR, and opened #157, which will supersede this one.

@djaglowski
Copy link
Member

I'm merging this, including the -no-fail flag, which I will remove in #157

@djaglowski djaglowski merged commit d37f340 into open-telemetry:main May 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@djaglowski djaglowski djaglowski approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kxyr @tigrannajaryan @djaglowski @jsirianni @xukaren