Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds SECURITY.md and scanning workflow #267

Merged
merged 4 commits into from
Apr 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ on: # yamllint disable-line rule:truthy

jobs:
lint:
name: Lint
name: lint
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
# skip commits made by the release plugin
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
Expand Down
56 changes: 56 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
name: security

# We don't scan documentation-only commits.
on: # yamllint disable-line rule:truthy
push: # non-tagged pushes to master
branches:
- master
tags-ignore:
- '*'
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json
pull_request: # pull requests targeted at the master branch.
branches:
- master
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json

jobs:
security:
name: security
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish
# skip commits made by the release plugin
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- uses: actions/cache@v4
name: Cache Trivy Database
with:
path: .trivy
key: ${{ runner.os }}-trivy
restore-keys: ${{ runner.os }}-trivy
- name: Run Trivy vulnerability and secret scanner
uses: aquasecurity/trivy-action@master
id: trivy
with:
scan-type: 'fs'
scan-ref: '.' # scan the entire repository
scanners: vuln,secret
exit-code: '1'
severity: HIGH,CRITICAL
output: trivy-report.md
cache-dir: .trivy
- name: Set Summary
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

intentionally just setting the summary vs opting into GitHub features. When we run trivy like this, it is basically the same as trivy fs . so quite easy and has no licensing or other impact with GitHub, nor any new tabs to accidentally ignore.

shell: bash
if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
# Add the Trivy report to the summary
#
# Note: This will cause a workflow error if trivy-report.md > the step
# limit 1MiB. If this was due to too many CVEs, consider fixing them ;)
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth adding a link or comment about the 1MB limit on step summary.

https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#step-isolation-and-limits

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hopefully we don't end up with over 1MB of CVE descriptions, but sure ;)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

put a note with a cheeky suggestion if this happens :D

6 changes: 6 additions & 0 deletions RELEASE.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@

This repo uses semantic versions. Please keep this in mind when choosing version numbers.

1. **Verify all dependencies are up-to-date**

Before you start a release, make sure all dependencies are up-to-date, or are documented why not.
Pay special attention to the [security workflow](.github/workflows/security.yml), which should
run clean.

1. **Alert others you are releasing**

There should be no commits made to master while the release is in progress (about 10 minutes). Before you start
Expand Down
13 changes: 13 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# OpenZipkin Security Process

This document outlines the process for handling security concerns in OpenZipkin projects.

Any vulnerability or misconfiguration detected in our [security workflow](.github/workflows/security.yml)
should be addressed as a normal pull request.

OpenZipkin is a volunteer community and does not have a dedicated security team. There may be
periods where no volunteer is able to address a security concern. There is no SLA or warranty
offered by volunteers. If you are a security researcher, please consider this before escalating.

For security concerns that are sensitive or otherwise outside the scope of public issues, please
contact [email protected].