-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] audit repository tooling #1131
Comments
@brettmc Please confirm if the dependabot alerts & scanning alerts are present. I don't see CodeQL configured & any vulnerability static checker configured in CI, do you mind if I take over the tasks of adding codeQL & Staticcode checker for php? |
/assign |
Hi @sakshi-1505 it's all yours to see what you can do. We have a few static code analysis tools already running as part of CI: psalm, phan, phpstan. You should check whether those already provide adequate security scanning, and by all means go and research other options to see if any can provide additional value. It doesn't look like CodeQL supports PHP yet, so that's a non-starter. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
The security SIG is looking to ensure that security tooling is setup consistently across the organization. As a result, we're asking maintainers to ensure the following tools are enabled in each repository:
Parent issue: open-telemetry/sig-security#12
The text was updated successfully, but these errors were encountered: