Architecture Decision Records (ADR)
  • Architecture Decision Records (ADR)
  • API faceting principles & expectations
  • GitHub Actions with AWS access
  • GitHub Groups & Permissions
  • GitHub Security
  • Logging
  • Secrets
Powered by GitBook
On this page
  • Context
  • Decision

GitHub Security

PreviousGitHub Groups & PermissionsNextLogging

Last updated 11 months ago

Last updated: 19/03/24

Context

We can improve visibility of security vulnerabilities in our services introduced either by insecure coding patterns or open source dependencies.

In order that we avoid the exploitation of vulnerabilities present in our services we should identify and mitigate vulnerabilities that may allow attackers to access sensitive data and run code on your application, as well as being aware of potential licensing issues.

See the .

Decision

We should have visibility of , issues, and an automated mechanism to raise PRs to remediate vulnerabilities.

This will involve:

  • Providing Dependabot with a graph of dependencies for all our Scala repositories

  • Providing a usable mechanism to raise PRs against both Scala & Typescript repositories

  • Providing a mechanism to incentivise merging automated PRs, consisting of:

    • ChatOps notification of open PRs in need of review & merge

    • Preventing proliferation of unmerged PRs by automated closing when stale

In addition we will enable at the :

  • Dependabot alerts for all repositories for medium, high & critical vulnerabilities idenitified in depenendency graphs for our services.

  • Automated PR raising by Dependabot for all repositories for all critical vulnerabilities.

  • Grouped security updates for all repositories to expedite testing and merging remediation PRs.

  • Secret scanning with push protection on all out repositories for supported secrets.

Q1 2024 Platform Health OKR proposal
Dependabot alerts
CodeQL
secrets in code
organisation level security settings