Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dependency auditing to pipelines #460

Merged
merged 1 commit into from
May 9, 2024
Merged

Add dependency auditing to pipelines #460

merged 1 commit into from
May 9, 2024

Conversation

svenaas
Copy link
Contributor

@svenaas svenaas commented May 6, 2024
edited
Loading

Part of #458

Changes proposed in this pull request:

  • Add pip-audit as a dev dependency.
  • Add pip-audit.sh script and new audit-dependencies tasks which run it in the CI pipelines.

security considerations

None. This introduces a new check to help ensure that out-of-date dependencies get resolved.

@svenaas svenaas force-pushed the 458-add-dependency-auditing branch 5 times, most recently from eb61297 to 4f3ee10 Compare May 6, 2024 17:52
@svenaas svenaas marked this pull request as ready for review May 6, 2024 18:58
apburnes
apburnes reviewed May 6, 2024
View reviewed changes
Copy link
Contributor

@apburnes apburnes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great start! Can you add the audit task to the staging and prod pipelines?

@svenaas svenaas changed the title WIP: Add dependency auditing Add dependency auditing to pipelines May 7, 2024
drewbo
drewbo reviewed May 7, 2024
View reviewed changes
ci/tasks/pip-audit.sh Outdated

set -euo pipefail

pip install -r requirements-dev.txt
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the audit you can install just pip-audit to speed this up a bit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Still works and it's definitely lighter.

@svenaas
Copy link
Contributor Author

svenaas commented May 7, 2024

Great start! Can you add the audit task to the staging and prod pipelines?

I've added it to pipeline.yml now; I'm not sure whether it would be wise to adjust any of its details there.

@svenaas svenaas requested review from apburnes and drewbo May 7, 2024 17:18
@drewbo
Copy link
Contributor

drewbo commented May 7, 2024

@svenaas for staging/prod (which both run off pipeline.yml) I would set the audit to run off the git resource rather than the pr resource (src-((deploy-env))). Right now we have a little duplication in triggers here. Eventually we can match the pages-core pattern but that will take a bit of work

@svenaas
Copy link
Contributor Author

svenaas commented May 7, 2024

@svenaas for staging/prod (which both run off pipeline.yml) I would set the audit to run off the git resource rather than the pr resource (src-((deploy-env))). Right now we have a little duplication in triggers here. Eventually we can match the pages-core pattern but that will take a bit of work

@drewbo How's this latest commit look? I changed the notification text a little as well.

@svenaas svenaas force-pushed the 458-add-dependency-auditing branch from c33ba6b to c947af3 Compare May 9, 2024 16:08
@svenaas svenaas merged commit 6ad6aec into staging May 9, 2024
4 of 5 checks passed
@svenaas svenaas deleted the 458-add-dependency-auditing branch May 9, 2024 16:17
@svenaas svenaas mentioned this pull request May 9, 2024
Closed
3 tasks
@drewbo drewbo mentioned this pull request May 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drewbo drewbo drewbo approved these changes

@apburnes apburnes Awaiting requested review from apburnes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@svenaas @drewbo @apburnes