From ef3375fefb072022a9106986e1fc02f77900f7e3 Mon Sep 17 00:00:00 2001
From: cleverchuk <chukwubuikem.umeugwa@solarwinds.com>
Date: Mon, 7 Oct 2024 13:23:18 -0400
Subject: [PATCH] NH-86008: add codeql.yml and SECURITY.md

---
 .github/workflows/codeql.yml | 72 ++++++++++++++++++++++++++++++++++++
 CODEOWNERS                   |  2 +-
 SECURITY.md                  | 26 +++++++++++++
 3 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/codeql.yml
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..0b23adc7
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,72 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 7 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: +security-extended,security-and-quality
+
+      # Autobuild fails so use custom build steps
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '8.0.302'
+          distribution: 'temurin'
+
+      - name: Run maven package
+        run: mvn -s .github/m2/settings.xml clean package
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/CODEOWNERS b/CODEOWNERS
index 8187239f..c1a06a24 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1 +1 @@
-* @solarwinds-cloud/eng-apm-instrumentation
+* @solarwinds/eng-pub-apm-instrumentation
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..76397249
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Security at SolarWinds
+
+SolarWinds is committed to taking our customers security and privacy concerns seriously and makes it a priority. We strive to implement and maintain security processes, procedures, standards, and take all reasonable care to prevent unauthorized access to our customer data. We apply appropriate administrative, operational, and technical security controls to help ensure that our customer data is handled and processed in a responsible and secure manner.
+
+Our security strategy covers all aspects of our business, including:
+
+* Corporate security policies
+* Organizational security
+* Physical and environmental security
+* Operational security processes and procedures
+* Incident management and response
+* Business continuity and disaster recovery
+* Data protection
+
+## Security Documents
+[Security Statement](https://www.solarwinds.com/security/security-statement)
+
+[Vendor Data Protection Requirements](https://www.solarwinds.com/security/vendor-data-protection-requirements)
+
+## Vulnerability Disclosure Policy
+[SolarWinds Vulnerability Disclosure Policy](https://www.solarwinds.com/information-security/vulnerability-disclosure-policy)
+
+## Want to report a security concern?
+SolarWinds reviews all reports of security vulnerabilities submitted to it affecting SolarWinds products and services. To report a vulnerability in one of our products or solutions or a vulnerability in one of our corporate websites, please contact our Product Security Incident Response Team (PSIRT) at [psirt@solarwinds.com](mailto:psirt@solarwinds.com).