Need for a Viable Security Scanning Tool

[KKelvinLo]

A security workflow does not currently exist as part of the CI/CD or security workflows in the Erlang repository. This is to satisfy the requirements as per open-telemetry/opentelemetry-specification#1333.

CodeQL is the common security scanning tool that is used currently for all of OpenTelemetry’s supported language repositories (Go, Java, Javascript, Python, C++, etc.). Since CodeQL does not offer support for Erlang, an alternative must be found. The security tool found must be able to be integrated with Github Actions.

We evaluated different possibilities but there seems to be no available code scanning tools for Erlang that could be integrated with Github Actions. We’d like to better understand the opinions from Erlang engineers on a recommended code scanning tool so that one may be added to address #144.

cc @alolita @xukaren

[tsloughter]

Funny, I finally see this issue and its the day after I saw a comment from someone about http://snyk.io supporting Elixir.

But I'd never heard of snyk.io before so can only say that it may be an option for this. However, it only covers Elixir which is only a small part of this project.

I doubt any security scanning service supports Erlang and would be lucky to find one supporting Elixir (besides snyk.io).

[tsloughter]

@KKelvinLo I just saw that Github added support for notifying about package security, is this sufficient? https://github.blog/2022-06-27-github-advisory-database-now-supports-erlang-and-elixir-packages/