SECURITY-INSIGHTS.yml raw
1 header:
2 schema-version: "1.0.0"
3 expiration-date: "2026-08-04T00:00:00.000Z"
4 last-updated: "2025-08-04"
5 last-reviewed: "2025-08-04"
6 commit-hash: 69e81088ad40f45a0764597326722dea8f3f00a8
7 project-url: https://github.com/open-telemetry/opentelemetry-go
8 project-release: "v1.37.0"
9 changelog: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CHANGELOG.md
10 license: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/LICENSE
11
12 project-lifecycle:
13 status: active
14 bug-fixes-only: false
15 core-maintainers:
16 - https://github.com/dmathieu
17 - https://github.com/dashpole
18 - https://github.com/pellared
19 - https://github.com/XSAM
20 - https://github.com/MrAlias
21 release-process: |
22 See https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/RELEASING.md
23
24 contribution-policy:
25 accepts-pull-requests: true
26 accepts-automated-pull-requests: true
27 automated-tools-list:
28 - automated-tool: dependabot
29 action: allowed
30 comment: Automated dependency updates are accepted.
31 - automated-tool: renovatebot
32 action: allowed
33 comment: Automated dependency updates are accepted.
34 - automated-tool: opentelemetrybot
35 action: allowed
36 comment: Automated OpenTelemetry actions are accepted.
37 contributing-policy: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CONTRIBUTING.md
38 code-of-conduct: https://github.com/open-telemetry/.github/blob/ffa15f76b65ec7bcc41f6a0b277edbb74f832206/CODE_OF_CONDUCT.md
39
40 documentation:
41 - https://pkg.go.dev/go.opentelemetry.io/otel
42 - https://opentelemetry.io/docs/instrumentation/go/
43
44 distribution-points:
45 - pkg:golang/go.opentelemetry.io/otel
46 - pkg:golang/go.opentelemetry.io/otel/bridge/opencensus
47 - pkg:golang/go.opentelemetry.io/otel/bridge/opencensus/test
48 - pkg:golang/go.opentelemetry.io/otel/bridge/opentracing
49 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc
50 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
51 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace
52 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
53 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
54 - pkg:golang/go.opentelemetry.io/otel/exporters/stdout/stdoutmetric
55 - pkg:golang/go.opentelemetry.io/otel/exporters/stdout/stdouttrace
56 - pkg:golang/go.opentelemetry.io/otel/exporters/zipkin
57 - pkg:golang/go.opentelemetry.io/otel/metric
58 - pkg:golang/go.opentelemetry.io/otel/sdk
59 - pkg:golang/go.opentelemetry.io/otel/sdk/metric
60 - pkg:golang/go.opentelemetry.io/otel/trace
61 - pkg:golang/go.opentelemetry.io/otel/exporters/prometheus
62 - pkg:golang/go.opentelemetry.io/otel/log
63 - pkg:golang/go.opentelemetry.io/otel/log/logtest
64 - pkg:golang/go.opentelemetry.io/otel/sdk/log
65 - pkg:golang/go.opentelemetry.io/otel/sdk/log/logtest
66 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc
67 - pkg:golang/go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
68 - pkg:golang/go.opentelemetry.io/otel/exporters/stdout/stdoutlog
69 - pkg:golang/go.opentelemetry.io/otel/schema
70
71 security-artifacts:
72 threat-model:
73 threat-model-created: false
74 comment: |
75 No formal threat model created yet.
76 self-assessment:
77 self-assessment-created: false
78 comment: |
79 No formal self-assessment yet.
80
81 security-testing:
82 - tool-type: sca
83 tool-name: Dependabot
84 tool-version: latest
85 tool-url: https://github.com/dependabot
86 tool-rulesets:
87 - built-in
88 integration:
89 ad-hoc: false
90 ci: true
91 before-release: true
92 comment: |
93 Automated dependency updates.
94 - tool-type: sast
95 tool-name: golangci-lint
96 tool-version: latest
97 tool-url: https://github.com/golangci/golangci-lint
98 tool-rulesets:
99 - built-in
100 integration:
101 ad-hoc: false
102 ci: true
103 before-release: true
104 comment: |
105 Static analysis in CI.
106 - tool-type: fuzzing
107 tool-name: OSS-Fuzz
108 tool-version: latest
109 tool-url: https://github.com/google/oss-fuzz
110 tool-rulesets:
111 - default
112 integration:
113 ad-hoc: false
114 ci: false
115 before-release: false
116 comment: |
117 OpenTelemetry Go is integrated with OSS-Fuzz for continuous fuzz testing. See https://github.com/google/oss-fuzz/tree/f0f9b221190c6063a773bea606d192ebfc3d00cf/projects/opentelemetry-go for more details.
118 - tool-type: sast
119 tool-name: CodeQL
120 tool-version: latest
121 tool-url: https://github.com/github/codeql
122 tool-rulesets:
123 - default
124 integration:
125 ad-hoc: false
126 ci: true
127 before-release: true
128 comment: |
129 CodeQL static analysis is run in CI for all commits and pull requests to detect security vulnerabilities in the Go source code. See https://github.com/open-telemetry/opentelemetry-go/blob/d5b5b059849720144a03ca5c87561bfbdb940119/.github/workflows/codeql-analysis.yml for workflow details.
130 - tool-type: sca
131 tool-name: govulncheck
132 tool-version: latest
133 tool-url: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
134 tool-rulesets:
135 - default
136 integration:
137 ad-hoc: false
138 ci: true
139 before-release: true
140 comment: |
141 govulncheck is run in CI to detect known vulnerabilities in Go modules and code paths. See https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/.github/workflows/ci.yml for workflow configuration.
142
143 security-assessments:
144 - auditor-name: 7ASecurity
145 auditor-url: https://7asecurity.com
146 auditor-report: https://7asecurity.com/reports/pentest-report-opentelemetry.pdf
147 report-year: 2023
148 comment: |
149 This independent penetration test by 7ASecurity covered OpenTelemetry repositories including opentelemetry-go. The assessment focused on codebase review, threat modeling, and vulnerability identification. See the report for details of findings and recommendations applicable to opentelemetry-go. No critical vulnerabilities were found for this repository.
150
151 security-contacts:
152 - type: email
153 value: cncf-opentelemetry-security@lists.cncf.io
154 primary: true
155 - type: website
156 value: https://github.com/open-telemetry/opentelemetry-go/security/policy
157 primary: false
158
159 vulnerability-reporting:
160 accepts-vulnerability-reports: true
161 email-contact: cncf-opentelemetry-security@lists.cncf.io
162 security-policy: https://github.com/open-telemetry/opentelemetry-go/security/policy
163 comment: |
164 Security issues should be reported via email or GitHub security policy page.
165
166 dependencies:
167 third-party-packages: true
168 dependencies-lists:
169 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/go.mod
170 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/bridge/opencensus/go.mod
171 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/bridge/opencensus/test/go.mod
172 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/bridge/opentracing/go.mod
173 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlplog/otlploggrpc/go.mod
174 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlplog/otlploghttp/go.mod
175 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlpmetric/otlpmetricgrpc/go.mod
176 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlpmetric/otlpmetrichttp/go.mod
177 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlptrace/go.mod
178 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlptrace/otlptracegrpc/go.mod
179 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/otlp/otlptrace/otlptracehttp/go.mod
180 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/prometheus/go.mod
181 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/stdout/stdoutlog/go.mod
182 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/stdout/stdoutmetric/go.mod
183 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/stdout/stdouttrace/go.mod
184 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/exporters/zipkin/go.mod
185 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/internal/tools/go.mod
186 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/log/go.mod
187 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/log/logtest/go.mod
188 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/metric/go.mod
189 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/schema/go.mod
190 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/go.mod
191 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/log/go.mod
192 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/log/logtest/go.mod
193 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/sdk/metric/go.mod
194 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/trace/go.mod
195 - https://github.com/open-telemetry/opentelemetry-go/blob/v1.37.0/trace/internal/telemetry/test/go.mod
196 dependencies-lifecycle:
197 policy-url: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CONTRIBUTING.md
198 comment: |
199 Dependency lifecycle managed via go.mod and renovatebot.
200 env-dependencies-policy:
201 policy-url: https://github.com/open-telemetry/opentelemetry-go/blob/69e81088ad40f45a0764597326722dea8f3f00a8/CONTRIBUTING.md
202 comment: |
203 See contributing policy for environment usage.
204