Skip to content

docs(security): Add current security review evidence#8584

Merged
jkowall merged 2 commits into
jaegertracing:mainfrom
jkowall:codex/openssf-security-review-8485
May 17, 2026
Merged

docs(security): Add current security review evidence#8584
jkowall merged 2 commits into
jaegertracing:mainfrom
jkowall:codex/openssf-security-review-8485

Conversation

@jkowall

@jkowall jkowall commented May 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a 2026 public project security review artifact for the OpenSSF Gold security_review criterion
  • document reviewed security requirements, trust boundaries, inputs, public-safe findings handling, and refresh cadence
  • update the OpenSSF Gold evidence tracker and SECURITY.md to point at the new review

Refs #8485.
Refs #8481.

Validation

  • make fmt
  • make lint
  • make test

Follow-up

After this lands, update the OpenSSF Best Practices BadgeApp security_review evidence URL to https://github.com/jaegertracing/jaeger/blob/main/docs/security/security-review-2026.md.

Signed-off-by: Jonah Kowall <jkowall@kowall.net>
Copilot AI review requested due to automatic review settings May 17, 2026 15:14
@jkowall jkowall requested a review from a team as a code owner May 17, 2026 15:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds current public security review evidence for Jaeger’s OpenSSF Best Practices Gold security_review criterion and updates existing security documentation to reference it.

Changes:

  • Adds a 2026 security review artifact covering reviewed inputs, requirements, boundaries, and follow-up cadence.
  • Updates SECURITY.md and the OpenSSF Gold evidence tracker to link to the new review.
  • Removes security_review from remaining Gold work items.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
SECURITY.md Adds the 2026 security review to the security documentation index.
docs/security/security-review-2026.md Introduces the public security review evidence artifact.
docs/security/openssf-gold-evidence.md Updates review date, points security_review evidence to the new artifact, and removes it from pending work.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Add Self-Assessment and CI security workflows to Inputs Reviewed,
add Reviewers row to metadata, separate authentication from
authorization in Access control row, and link CodeQL/dependency-review/
Scorecard/FOSSA workflows from Vulnerability handling and Supply-chain
rows.

Signed-off-by: Jonah Kowall <jkowall@kowall.net>
@jkowall jkowall force-pushed the codex/openssf-security-review-8485 branch from 42b6315 to 2c5961d Compare May 17, 2026 15:21
@codecov

codecov Bot commented May 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.53%. Comparing base (107a643) to head (2c5961d).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #8584   +/-   ##
=======================================
  Coverage   96.53%   96.53%           
=======================================
  Files         330      330           
  Lines       17363    17363           
=======================================
  Hits        16762    16762           
  Misses        453      453           
  Partials      148      148           
Flag Coverage Δ
badger_direct 8.94% <ø> (ø)
badger_e2e 1.04% <ø> (ø)
cassandra-4.x-direct-manual 14.55% <ø> (ø)
cassandra-4.x-e2e-auto 1.03% <ø> (ø)
cassandra-4.x-e2e-manual 1.03% <ø> (ø)
cassandra-5.x-direct-manual 14.55% <ø> (ø)
cassandra-5.x-e2e-auto 1.03% <ø> (ø)
cassandra-5.x-e2e-manual 1.03% <ø> (ø)
clickhouse-direct 8.97% <ø> (ø)
clickhouse-e2e 1.16% <ø> (ø)
elasticsearch-6.x-direct 16.87% <ø> (ø)
elasticsearch-7.x-direct 16.91% <ø> (ø)
elasticsearch-8.x-direct 17.05% <ø> (ø)
elasticsearch-8.x-e2e 1.04% <ø> (ø)
elasticsearch-9.x-e2e 1.04% <ø> (ø)
grpc_direct 7.90% <ø> (ø)
grpc_e2e 1.04% <ø> (ø)
kafka-3.x-v2 1.04% <ø> (ø)
memory_v2 1.04% <ø> (ø)
opensearch-1.x-direct 16.95% <ø> (ø)
opensearch-2.x-direct 16.95% <ø> (ø)
opensearch-2.x-e2e 1.04% <ø> (ø)
opensearch-3.x-e2e 1.04% <ø> (ø)
query 1.04% <ø> (ø)
tailsampling-processor 0.55% <ø> (ø)
unittests 94.82% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jkowall jkowall added this pull request to the merge queue May 17, 2026
Merged via the queue into jaegertracing:main with commit 01e65a8 May 17, 2026
72 checks passed
@jkowall jkowall deleted the codex/openssf-security-review-8485 branch May 17, 2026 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants