-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds SECURITY.md and scanning workflow #267
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
--- | ||
name: security | ||
|
||
# We don't scan documentation-only commits. | ||
on: # yamllint disable-line rule:truthy | ||
push: # non-tagged pushes to master | ||
branches: | ||
- master | ||
tags-ignore: | ||
- '*' | ||
paths-ignore: | ||
- '**/*.md' | ||
- './build-bin/*lint' | ||
- ./build-bin/mlc_config.json | ||
pull_request: # pull requests targeted at the master branch. | ||
branches: | ||
- master | ||
paths-ignore: | ||
- '**/*.md' | ||
- './build-bin/*lint' | ||
- ./build-bin/mlc_config.json | ||
|
||
jobs: | ||
security: | ||
name: security | ||
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish | ||
# skip commits made by the release plugin | ||
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
- uses: actions/cache@v4 | ||
name: Cache Trivy Database | ||
with: | ||
path: .trivy | ||
key: ${{ runner.os }}-trivy | ||
restore-keys: ${{ runner.os }}-trivy | ||
- name: Run Trivy vulnerability and secret scanner | ||
uses: aquasecurity/trivy-action@master | ||
id: trivy | ||
with: | ||
scan-type: 'fs' | ||
scan-ref: '.' # scan the entire repository | ||
scanners: vuln,secret | ||
exit-code: '1' | ||
severity: HIGH,CRITICAL | ||
output: trivy-report.md | ||
cache-dir: .trivy | ||
- name: Set Summary | ||
shell: bash | ||
if: ${{ failure() && steps.trivy.conclusion == 'failure' }} | ||
# Add the Trivy report to the summary | ||
# | ||
# Note: This will cause a workflow error if trivy-report.md > the step | ||
# limit 1MiB. If this was due to too many CVEs, consider fixing them ;) | ||
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might be worth adding a link or comment about the 1MB limit on step summary. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hopefully we don't end up with over 1MB of CVE descriptions, but sure ;) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. put a note with a cheeky suggestion if this happens :D |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# OpenZipkin Security Process | ||
|
||
This document outlines the process for handling security concerns in OpenZipkin projects. | ||
|
||
Any vulnerability or misconfiguration detected in our [security workflow](.github/workflows/security.yml) | ||
should be addressed as a normal pull request. | ||
|
||
OpenZipkin is a volunteer community and does not have a dedicated security team. There may be | ||
periods where no volunteer is able to address a security concern. There is no SLA or warranty | ||
offered by volunteers. If you are a security researcher, please consider this before escalating. | ||
|
||
For security concerns that are sensitive or otherwise outside the scope of public issues, please | ||
contact [email protected]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
intentionally just setting the summary vs opting into GitHub features. When we run trivy like this, it is basically the same as
trivy fs .
so quite easy and has no licensing or other impact with GitHub, nor any new tabs to accidentally ignore.