GitHub Security
Last updated
Last updated
Last updated: 19/03/24
We can improve visibility of security vulnerabilities in our services introduced either by insecure coding patterns or open source dependencies.
In order that we avoid the exploitation of vulnerabilities present in our services we should identify and mitigate vulnerabilities that may allow attackers to access sensitive data and run code on your application, as well as being aware of potential licensing issues.
See the .
We should have visibility of , issues, and an automated mechanism to raise PRs to remediate vulnerabilities.
This will involve:
Providing Dependabot with a graph of dependencies for all our Scala repositories
Providing a usable mechanism to raise PRs against both Scala & Typescript repositories
Providing a mechanism to incentivise merging automated PRs, consisting of:
ChatOps notification of open PRs in need of review & merge
Preventing proliferation of unmerged PRs by automated closing when stale
In addition we will enable at the :
Dependabot alerts for all repositories for medium, high & critical vulnerabilities idenitified in depenendency graphs for our services.
Automated PR raising by Dependabot for all repositories for all critical vulnerabilities.
Grouped security updates for all repositories to expedite testing and merging remediation PRs.
Secret scanning with push protection on all out repositories for supported secrets.