Skip to content

[Repo] OpenSSF Security Insights v2#7143

Merged
martincostello merged 2 commits intoopen-telemetry:mainfrom
martincostello:security-insights-v2
Apr 23, 2026
Merged

[Repo] OpenSSF Security Insights v2#7143
martincostello merged 2 commits intoopen-telemetry:mainfrom
martincostello:security-insights-v2

Conversation

@martincostello
Copy link
Copy Markdown
Member

@martincostello martincostello commented Apr 23, 2026

cncf/clomonitor#1900.

Changes

Migrate back to OpenSSF Security Insights v2.

I don't think there's any way to test this other than to merge it and see if it works.

If it doesn't, we can fix-forward or revert.

If it does, I'll do a similar PR to opentelemetry-dotnet-contrib.

Merge requirement checklist

  • CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)
  • Unit tests added/updated
  • Appropriate CHANGELOG.md files updated for non-trivial changes
  • Changes in public API reviewed (if applicable)

@martincostello
[Repo] OpenSSF Security Insights v2
465d4cf 
Migrate back to OpenSSF Security Insights v2.

See cncf/clomonitor#1900.
@martincostello martincostello marked this pull request as ready for review April 23, 2026 09:40
@martincostello martincostello requested a review from a team as a code owner April 23, 2026 09:40
Copilot AI review requested due to automatic review settings April 23, 2026 09:40
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the repository’s SECURITY-INSIGHTS.yml from the OpenSSF Security Insights v1 format back to the v2 schema.

Changes:

  • Replaces the v1 header/project-lifecycle/security-testing structure with the v2 project + repository schema.
  • Adds structured repository metadata (maintainers, documentation links, distribution points, vulnerability reporting).
  • Adds v2 security section describing assessments and security tools.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread SECURITY-INSIGHTS.yml Outdated
Comment thread SECURITY-INSIGHTS.yml Outdated
Comment thread SECURITY-INSIGHTS.yml Outdated
Comment thread SECURITY-INSIGHTS.yml Outdated
Kielek
Kielek approved these changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Kielek Kielek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I am not sure if it will fix OSPS-QA-04.01, if not, we need a follow up.

https://insights.linuxfoundation.org/project/opentelemetry/repository/open-telemetry_opentelemetry-dotnet/security?timeRange=past365days&start=2024-07-08&end=2025-07-08

auto instrumentation package is also waiting for similar changes.

@martincostello
[Repo] Address feedback
ba2991c 
- Quote name so renders correctly.
- Update CodeQL type.
- Add PR number.
@martincostello martincostello added this pull request to the merge queue Apr 23, 2026
Merged via the queue into open-telemetry:main with commit 2f6ad24 Apr 23, 2026
24 checks passed
@martincostello martincostello deleted the security-insights-v2 branch April 23, 2026 10:07
@martincostello
Copy link
Copy Markdown
Member Author

martincostello commented Apr 23, 2026

With the follow-ups in #7144 and #71455, CLO Monitor isn't reporting any further issues.

@martincostello
Copy link
Copy Markdown
Member Author

martincostello commented Apr 23, 2026

https://insights.linuxfoundation.org/project/opentelemetry/repository/open-telemetry_opentelemetry-dotnet/security?timeRange=past365days&start=2024-07-08&end=2025-07-08

I can't retrigger this myself at the moment - I'm getting 429s.

@martincostello martincostello mentioned this pull request Apr 25, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Kielek Kielek Kielek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martincostello @Kielek