-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from solarwinds/cc/NH-86008
NH-86008: add codeql.yml and SECURITY.md
- Loading branch information
Showing
3 changed files
with
99 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # For most projects, this workflow file will not need changing; you simply need | ||
| # to commit it to your repository. | ||
| # | ||
| # You may wish to alter this file to override the set of languages analyzed, | ||
| # or to provide custom queries or build logic. | ||
| # | ||
| # ******** NOTE ******** | ||
| # We have attempted to detect the languages in your repository. Please check | ||
| # the `language` matrix defined below to confirm you have the correct set of | ||
| # supported CodeQL languages. | ||
| # | ||
| name: "CodeQL" | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| # The branches below must be a subset of the branches above | ||
| branches: [ "main" ] | ||
| schedule: | ||
| - cron: '0 7 * * 1' | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| language: [ 'java' ] | ||
| # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] | ||
| # Use only 'java' to analyze code written in Java, Kotlin or both | ||
| # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both | ||
| # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| # If you wish to specify custom queries, you can do so here or in a config file. | ||
| # By default, queries listed here will override any specified in a config file. | ||
| # Prefix the list here with "+" to use these queries and those in the config file. | ||
|
|
||
| # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | ||
| queries: +security-extended,security-and-quality | ||
|
|
||
| # Autobuild fails so use custom build steps | ||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: '8.0.302' | ||
| distribution: 'temurin' | ||
|
|
||
| - name: Run maven package | ||
| run: mvn -s .github/m2/settings.xml clean package | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v3 | ||
| with: | ||
| category: "/language:${{matrix.language}}" |
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| * @solarwinds-cloud/eng-apm-instrumentation | ||
| * @solarwinds/eng-pub-apm-instrumentation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Security Policy | ||
|
|
||
| ## Security at SolarWinds | ||
|
|
||
| SolarWinds is committed to taking our customers security and privacy concerns seriously and makes it a priority. We strive to implement and maintain security processes, procedures, standards, and take all reasonable care to prevent unauthorized access to our customer data. We apply appropriate administrative, operational, and technical security controls to help ensure that our customer data is handled and processed in a responsible and secure manner. | ||
|
|
||
| Our security strategy covers all aspects of our business, including: | ||
|
|
||
| * Corporate security policies | ||
| * Organizational security | ||
| * Physical and environmental security | ||
| * Operational security processes and procedures | ||
| * Incident management and response | ||
| * Business continuity and disaster recovery | ||
| * Data protection | ||
|
|
||
| ## Security Documents | ||
| [Security Statement](https://www.solarwinds.com/security/security-statement) | ||
|
|
||
| [Vendor Data Protection Requirements](https://www.solarwinds.com/security/vendor-data-protection-requirements) | ||
|
|
||
| ## Vulnerability Disclosure Policy | ||
| [SolarWinds Vulnerability Disclosure Policy](https://www.solarwinds.com/information-security/vulnerability-disclosure-policy) | ||
|
|
||
| ## Want to report a security concern? | ||
| SolarWinds reviews all reports of security vulnerabilities submitted to it affecting SolarWinds products and services. To report a vulnerability in one of our products or solutions or a vulnerability in one of our corporate websites, please contact our Product Security Incident Response Team (PSIRT) at [[email protected]](mailto:[email protected]). |