Skip to content

Commit

Permalink
NH-86008: add codeql.yml and SECURITY.md
Browse files Browse the repository at this point in the history
  • Loading branch information
cleverchuk committed Oct 7, 2024
1 parent a498bc4 commit 5d214bd
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 0 deletions.
72 changes: 72 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '0 7 * * 1'

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: [ 'java' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
queries: +security-extended,security-and-quality

# Autobuild fails so use custom build steps
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '8.0.302'
distribution: 'temurin'

- name: Run maven package
run: mvn -s .github/m2/settings.xml clean package
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
26 changes: 26 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Security Policy

## Security at SolarWinds

SolarWinds is committed to taking our customers security and privacy concerns seriously and makes it a priority. We strive to implement and maintain security processes, procedures, standards, and take all reasonable care to prevent unauthorized access to our customer data. We apply appropriate administrative, operational, and technical security controls to help ensure that our customer data is handled and processed in a responsible and secure manner.

Our security strategy covers all aspects of our business, including:

* Corporate security policies
* Organizational security
* Physical and environmental security
* Operational security processes and procedures
* Incident management and response
* Business continuity and disaster recovery
* Data protection

## Security Documents
[Security Statement](https://www.solarwinds.com/security/security-statement)

[Vendor Data Protection Requirements](https://www.solarwinds.com/security/vendor-data-protection-requirements)

## Vulnerability Disclosure Policy
[SolarWinds Vulnerability Disclosure Policy](https://www.solarwinds.com/information-security/vulnerability-disclosure-policy)

## Want to report a security concern?
SolarWinds reviews all reports of security vulnerabilities submitted to it affecting SolarWinds products and services. To report a vulnerability in one of our products or solutions or a vulnerability in one of our corporate websites, please contact our Product Security Incident Response Team (PSIRT) at [[email protected]](mailto:[email protected]).

0 comments on commit 5d214bd

Please sign in to comment.