Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependency auditing/monitoring #458

Closed
3 tasks done
drewbo opened this issue Mar 13, 2024 · 5 comments
Closed
3 tasks done

Add dependency auditing/monitoring #458

drewbo opened this issue Mar 13, 2024 · 5 comments
Assignees
@svenaas
Labels
squad-pages Pages squad label

Comments

@drewbo
Copy link
Contributor

drewbo commented Mar 13, 2024
edited by svenaas
Loading

We'd like to ensure that we don't merge vulnerable dependencies into this repo.

Notes

Acceptance Criteria

  • Add dependency auditing to the CI pipeline
  • Enable dependabot security scanning via Github Security configuration
  • Update internal docs/runbook to indicate that our quarterly process should apply to this repo as well
@drewbo drewbo added the squad-pages Pages squad label label Mar 13, 2024
svenaas added a commit that referenced this issue May 6, 2024
@svenaas
chore: Add dependency auditing with pip-audit (#458)
40336c0
svenaas added a commit that referenced this issue May 6, 2024
@svenaas
chore: Add dependency auditing with pip-audit (#458)
b42bb32
svenaas added a commit that referenced this issue May 6, 2024
@svenaas
chore: Add dependency auditing with pip-audit (#458)
366093c
svenaas added a commit that referenced this issue May 6, 2024
@svenaas
chore: Add dependency auditing with pip-audit (#458)
9fda5b2
svenaas added a commit that referenced this issue May 6, 2024
@svenaas
chore: Add dependency auditing with pip-audit (#458)
53d3b77
@svenaas svenaas mentioned this issue May 7, 2024
Merged
svenaas added a commit that referenced this issue May 9, 2024
@svenaas
chore: Add dependency auditing with pip-audit (#458)
c947af3
@svenaas
Copy link
Contributor

svenaas commented May 9, 2024

Dependency auditing added with #460

@svenaas
Copy link
Contributor

svenaas commented May 9, 2024

@drewbo It looks like Dependabot security scanning is already enabled. Or did you intend a change in our rules?

@drewbo
Copy link
Contributor Author

drewbo commented May 9, 2024

Ideally I'd like to configure it like https://github.com/cloud-gov/pages-core/pull/4222/files#diff-dd4fbda47e51f1e35defb9275a9cd9c212ecde0b870cba89ddaaae65c5f3cd28. The intent is to not open PRs for version updates (seemingly working) and to preface other PRs with [ci skip] (not working)

@drewbo
Copy link
Contributor Author

drewbo commented May 9, 2024

Also let's update the runbook/internal doc to indicate that our quarterly process should apply to this repo as well.

@svenaas
Copy link
Contributor

svenaas commented May 13, 2024

Ideally I'd like to configure it like https://github.com/cloud-gov/pages-core/pull/4222/files#diff-dd4fbda47e51f1e35defb9275a9cd9c212ecde0b870cba89ddaaae65c5f3cd28. The intent is to not open PRs for version updates (seemingly working) and to preface other PRs with [ci skip] (not working)

Should it have a schedule (interval: weekly) like current pages-core?

svenaas added a commit that referenced this issue May 13, 2024
@svenaas
chore: Enable Dependabot security scanning (#458)
066f664
svenaas added a commit that referenced this issue May 13, 2024
@svenaas
chore: Enable Dependabot security scanning (#458)
0f7cac6
@svenaas svenaas mentioned this issue May 13, 2024
Merged
svenaas added a commit that referenced this issue May 14, 2024
@svenaas
chore: Enable Dependabot security scanning (#458)
b3911b7
@svenaas svenaas closed this as completed May 14, 2024
This was referenced Jun 24, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@svenaas svenaas

Labels
squad-pages Pages squad label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@svenaas @drewbo