-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds SECURITY.md and scanning workflow
This adds SECURITY.md and a scanning workflow, using Trivy. In particular, this clarifies what we use to scan for vulnerabilities (Trivy, not anything else), and the only channel likely to be responded to on a significant issue (zipkin-admin email, not advisories as people ignored them). I won't merge this until I get at least 2 approves. After that, I'll help apply this to the other java repos. Signed-off-by: Adrian Cole <[email protected]>
- Loading branch information
Adrian Cole
committed
Apr 14, 2024
1 parent
3af6593
commit 83494cc
Showing
3 changed files
with
71 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
name: security | ||
|
||
# We don't scan documentation-only commits. | ||
on: # yamllint disable-line rule:truthy | ||
push: # non-tagged pushes to master | ||
branches: | ||
- master | ||
tags-ignore: | ||
- '*' | ||
paths-ignore: | ||
- '**/*.md' | ||
- './build-bin/*lint' | ||
- ./build-bin/mlc_config.json | ||
pull_request: # pull requests targeted at the master branch. | ||
branches: | ||
- master | ||
paths-ignore: | ||
- '**/*.md' | ||
- './build-bin/*lint' | ||
- ./build-bin/mlc_config.json | ||
|
||
jobs: | ||
security: | ||
name: Security | ||
runs-on: ubuntu-22.04 # newest available distribution, aka jellyfish | ||
# skip commits made by the release plugin | ||
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
- uses: actions/cache@v4 | ||
name: Cache Trivy Database | ||
with: | ||
path: .trivy | ||
key: ${{ runner.os }}-trivy | ||
restore-keys: ${{ runner.os }}-trivy | ||
- name: Run Trivy vulnerability and secret scanner | ||
uses: aquasecurity/trivy-action@master | ||
id: trivy | ||
with: | ||
scan-type: 'fs' | ||
scan-ref: '.' # scan the entire repository | ||
scanners: vuln,secret | ||
exit-code: '1' | ||
severity: HIGH,CRITICAL | ||
output: trivy-report.md | ||
cache-dir: .trivy | ||
- name: Set Summary | ||
shell: bash | ||
if: ${{ failure() && steps.trivy.conclusion == 'failure' }} | ||
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# OpenZipkin Security Process | ||
|
||
This document outlines the process for handling security concerns in OpenZipkin projects. | ||
|
||
Any vulnerability or misconfiguration detected in our [security workflow](.github/workflows/security.yml) | ||
should be addressed as a normal pull request. | ||
|
||
OpenZipkin is a volunteer community and does not have a dedicated security team. There may be | ||
periods where no volunteer is able to address a security concern. There is no SLA or warranty | ||
offered by volunteers. If you are a security researcher, please consider this before escalating. | ||
|
||
For security concerns that are sensitive or otherwise outside the scope of public issues, please | ||
contact [email protected]. |