Security requirements for GA

[andrewhsu]

High-level tracking issue for security requirements for OTel GA

• Security vuln scans in language SIG repos
  • related issue Proposal: Enable security vulnerability scans on OTel repos oteps#144
• Security policy
  • related PR Add SECURITY.md .github#1
• Other items to track?

I suggest this issue be marked as required-for-ga and the eventual owner update the description if necessary

[alolita]

In order to support security vulnerability scans in the SIG repos for languages and Collector, the following security vulnerability scanning GitHub Actions workflows have been enabled so far.

1. CodeQL scan - Completed GHA workflows (merged) for the following SIG repos:

• Collector: [1/2] Add Security workflows: CodeQL scan workflow opentelemetry-collector#2325
• Collector-contrib: [1/2] Add Security workflows: CodeQL scan workflow opentelemetry-collector-contrib#1922
• Go: Adding Security Workflows to GitHub Actions (1/2): codeql workflow opentelemetry-go#1428
• Go-contrib: Adding Security Workflows to GitHub Actions (1/2): codeql workflow opentelemetry-go-contrib#506
• JavaScript: Add CodeQL security scans opentelemetry-js#1785
• JavaScript-contrib: Add CodeQL Security Scans opentelemetry-js-contrib#298
• Java: Add CodeQL security scans opentelemetry-java#2416
• Java-instrumentation: Add CodeQL security scan opentelemetry-java-instrumentation#1971
• Python: Adding CodeQL security scan workflow opentelemetry-python#1505
• Python-contrib: Adding CodeQL Security Scan Workflow opentelemetry-python-contrib#277
• .Net-contrib: Add CodeQL security scan opentelemetry-dotnet-contrib#55

2. GoSec scan: GHA workflows enabling GoSec scans to be run have been completed and merged for the following repos -

• Go: Adding Security Workflows to GitHub Actions (2/2): gosec workflow opentelemetry-go#1429
• Go-contrib: Adding Security Workflows to GitHub Actions (2/2): gosec workflow opentelemetry-go-contrib#507

Note: GHA workflows were submitted but closed for the Collector and collector-contrib since GoSec is already enabled for the Collector and Collector-contrib repos.

• Collector: [2/2] Add Security workflows: GoSec scan workflow opentelemetry-collector#2326 (closed)
• Collector-contrib: [2/2] Add Security workflows: GoSec scan workflow opentelemetry-collector-contrib#1923

3. Security policy: @alolita will track work on security guidelines/policy in another issue.

[alolita]

Picking back up on this issue, we're adding further security vulnerabilities scanning using CodeQL and GoSec to the rest of the OpenTelemetry code repos. We also see the dotNet repo added a CodeQL scan using GitHub Actions in PR open-telemetry/opentelemetry-dotnet#1324.

We are now adding CodeQL scans using GitHub Actions in the following repos:

• collector-builder
• cpp
• cpp-contrib
• dotnet-instrumentation
• java-contrib
• JS-API
• lambda
• log-collection
• operator

We will also be adding GoSec scans to be run using GitHub Actions workflows in the following repos:

• collector-builder
• lambda
• log-collection
• operator

cc: @xukaren @KKelvinLo

[arminru]

Thank you for taking care of this, @alolita, @xukaren and @KKelvinLo!