[security] audit repository tooling #212
Comments
|
@arminru Please confirm if vulnerability reporting, dependabot alerts are configured for the repo as I don't have enough access to see those. I do see we have majority of the repo in Python with a lil of Go but I don't see us using any staticcode checker for Python, do you folks have any suggestion in mind for the same? I know we can use Mypy or Pylint. Meanwhile I will open a PR for CodeQL scanning with schedule same as other repos. |
|
@open-telemetry/technical-committee I think you are still the only ones that have access to view the mentioned settings. Please check. @sakshi-1505 For Python we already use both mypy and pylint, and addtionally flake8 (and black + isort but these are probably less security relevant). https://github.com/open-telemetry/build-tools/blob/main/.github/workflows/semconvgen.yml Most of these could use an upgrade (we have dependabot PRs but with new linter errors that would need to be fixed), and there is also https://github.com/astral-sh/ruff which seems to be the new cool tool that would replace all 3 of pylint, flake8 and isort while being faster. So if somebody has time, there is always potential for improvement, but I think we have the basics covered (and note that the semantic convention generator is development tooling and not distributed to or used by end users) |
|
@Oberon00 I looked into the repo settings mentioned in the issue description, adjusted them where needed, and ticked the boxes. |
|
cc: @codeboten |
The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:
Parent issue: open-telemetry/sig-security#12
The text was updated successfully, but these errors were encountered: