[security] audit repository tooling
codeboten opened this issue · 1 comments
codeboten commented
The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:
- CodeQL enabled via GitHub Actions
- Static code analysis tool (the collector uses govulncheck [https://pkg.go.dev/golang.org/x/vuln] on every build)
- Repository security settings
- Security Policy ✅
- Security advisories ✅
- Private vulnerability reporting ✅
- Dependabot alerts ✅
- Code scanning alerts ✅
Parent issue: open-telemetry/sig-security#12
github-actions commented
👋 This issue has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the keep label to hold stale off permanently, or do nothing. If you do nothing this issue will be closed eventually by the stale bot.