Need for a Viable Security Scan Tool #339
Assignees
Comments
|
Hello @KKelvinLo, I think we have some of these tools Integrated as part of our CI/CD, you can check here . As always, It doesn't hurt to add more static analysis tools. |
|
@KKelvinLo - thanks for opening this ticket. We're happy to implement a code scanning tool! The ones we have presently are sufficient for much of our static analysis, but it's true that we currently don't have anything for security workflows. It looks like the Psalm security scan could be pretty easy for us to integrate; I'll give that a go. |
|
@KKelvinLo - I've add this PR and I think it's sufficient for your requirements. |
Cool! I think it suffices, if not then we can reopen the issue :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A security workflow does not currently exist as part of the CI/CD or security workflows in the PHP repository. This is to satisfy the requirements as per open-telemetry/opentelemetry-specification#1333.
CodeQL is the common security scanning tool that is used currently for all of OpenTelemetry’s supported language repositories (Go, Java, Javascript, Python, C++, etc.). Since CodeQL does not offer support for PHP, an alternative must be found. The security tool found must be able to be integrated with Github Actions.
We evaluated different possibilities but there seems to be limited available code scanning tools for PHP that could be integrated with Github Actions. The following code scanning tools for PHP could work:
We’d like to better understand the opinions from PHP engineers on a recommended code scanning tool so that one may be added to address #144.
cc @alolita @xukaren
The text was updated successfully, but these errors were encountered: