Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds SECURITY.md and scanning workflow #223

Merged
merged 2 commits into from
Apr 29, 2024
Merged

Adds SECURITY.md and scanning workflow #223

merged 2 commits into from
Apr 29, 2024

Conversation

codefromthecrypt
Copy link
Member

This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them).

This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267

This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them).

This is the same approach as approved and merged in openzipkin/zipkin-reporter-java#267

Signed-off-by: Adrian Cole <[email protected]>
@codefromthecrypt
Copy link
Member Author

raising this mainly to avoid ad-hoc decisions per-CVE which are annoying and burn brain cycles. Might as well use the same process as the rest of the repos.

If this doesn't work here, please yell. I won't merge for a few days to make sure someone can yell.

.github/workflows/security.yml Outdated Show resolved Hide resolved
.github/workflows/security.yml Outdated Show resolved Hide resolved
Signed-off-by: Adrian Cole <[email protected]>
@codefromthecrypt
Copy link
Member Author

thanks for the look @anuraaga I removed the unnecessary skips. I might add the link checker in a separate PR, then add the one back.. maybe ;)

@codefromthecrypt codefromthecrypt merged commit e609ce4 into master Apr 29, 2024
6 checks passed
@codefromthecrypt codefromthecrypt deleted the security branch April 29, 2024 00:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants