Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allstar usecase(#21) #29

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

allstar usecase(#21) #29

wants to merge 7 commits into from

Conversation

EjiroLaurelD
Copy link
Contributor

Hello @jpkrohling
I have made the recommend changes to my initial pr and also created a new branch.
I wrote the document to outline how SIG security members use Allstar. Please let me know your thoughts on it.
Thank you for your time

jpkrohling
jpkrohling reviewed Oct 17, 2023
View reviewed changes
Copy link
Member

@jpkrohling jpkrohling left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the file name should be just recommendation-allstar.md.

@cartersocha, @codeboten, I'm missing some context for this PR. Do we need this here at all? Or do we need a doc describing our specific allstar setup?

sig-allstar.md Outdated Show resolved Hide resolved
sig-allstar.md Outdated
@@ -0,0 +1,31 @@
## SIG Security's use of Allstar for the OpenTelemetry(OTEL) project

Allstar is a security policy engine that helps organizations automate and enforce security best practices. It can be used to scan code, dependencies, and infrastructure for vulnerabilities. It can also be used to enforce best practices for code reviews, security testing, and vulnerability management.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a link to allstar?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, will include it right away

@EjiroLaurelD
Copy link
Contributor Author

I think the file name should be just recommendation-allstar.md.

@cartersocha, @codeboten, I'm missing some context for this PR. Do we need this here at all? Or do we need a doc describing our specific allstar setup?

Hello @jpkrohling @cartersocha @codeboten
Any update on this please?

@jpkrohling
Copy link
Member

Sorry, but after reviewing #21 again, I don't think it was meant to be an entry on the recommendations. From @codeboten's message on that issue:

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

@EjiroLaurelD
Copy link
Contributor Author

Sorry, but after reviewing #21 again, I don't think it was meant to be an entry on the recommendations. From @codeboten's message on that issue:

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

Okay, this is my progress on this so far;
I have determined what Allstar can cover using the checklist that was provided, the steps to enable allstar has also been proposed using the quick start (I did a test run on my github to be sure how it works).
I recently created issues on some repositories using the checklist checking and confirming from maintainers what is enabled on the repo.
I am still a bit unclear as to where to document the usage of allstar on the security sig repo.

@codeboten codeboten mentioned this pull request Oct 23, 2023
Open
@codeboten
Copy link
Contributor

Thanks for the work @EjiroLaurelD, I think the details you've captured here in this PR could be added to the original issue in a comment or as @jpkrohling in a separate google doc.

Can this other PR be closed in favour of this current one?

@EjiroLaurelD
Copy link
Contributor Author

Thanks for the work @EjiroLaurelD, I think the details you've captured here in this PR could be added to the original issue in a comment or as @jpkrohling in a separate google doc.

Okay thank you, I will add my progress detail as a comment on the parent issue.

Can this other PR be closed in favour of this current one?

Yes please, we can close this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpkrohling jpkrohling jpkrohling left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@EjiroLaurelD @jpkrohling @codeboten