Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds SECURITY.md and scanning workflow #227

Merged
merged 1 commit into from
Apr 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
name: security

# We don't scan documentation-only commits.
on: # yamllint disable-line rule:truthy
push: # non-tagged pushes to master
branches:
- master
tags-ignore:
- '*'
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json
pull_request: # pull requests targeted at the master branch.
branches:
- master
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json

jobs:
security:
name: security
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
# skip commits made by the release plugin
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- uses: actions/cache@v4
name: Cache Trivy Database
with:
path: .trivy
key: ${{ runner.os }}-trivy
restore-keys: ${{ runner.os }}-trivy
- name: Run Trivy vulnerability and secret scanner
uses: aquasecurity/trivy-action@master
id: trivy
with:
scan-type: 'fs'
scan-ref: '.' # scan the entire repository
scanners: vuln,secret
exit-code: '1'
severity: HIGH,CRITICAL
output: trivy-report.md
cache-dir: .trivy
- name: Set Summary
shell: bash
if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
# Add the Trivy report to the summary
#
# Note: This will cause a workflow error if trivy-report.md > the step
# limit 1MiB. If this was due to too many CVEs, consider fixing them ;)
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY
6 changes: 6 additions & 0 deletions RELEASE.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@

This repo uses semantic versions. Please keep this in mind when choosing version numbers.

1. **Verify all dependencies are up-to-date**

Before you start a release, make sure all dependencies are up-to-date, or are documented why not.
Pay special attention to the [security workflow](.github/workflows/security.yml), which should
run clean.

1. **Alert others you are releasing**

There should be no commits made to master while the release is in progress (about 10 minutes). Before you start
Expand Down
13 changes: 13 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# OpenZipkin Security Process

This document outlines the process for handling security concerns in OpenZipkin projects.

Any vulnerability or misconfiguration detected in our [security workflow](.github/workflows/security.yml)
should be addressed as a normal pull request.

OpenZipkin is a volunteer community and does not have a dedicated security team. There may be
periods where no volunteer is able to address a security concern. There is no SLA or warranty
offered by volunteers. If you are a security researcher, please consider this before escalating.

For security concerns that are sensitive or otherwise outside the scope of public issues, please
contact [email protected].
Loading