-
Type:
Epic
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Security
-
Team(s):PLATFORM
-
Completion Level (0 to 5):5
We want to integrate into our build pipelines a check on our dependencies: we do not want to release a new version if there are dependencies with open critical or high CVEs. We may leverage GitHub dependabot, or other tools.
As for the dependencies, we need to run security scans on our Docker images that are going to production.
------------------------------------------------------------------------------
Finally we've decided to forget about the check in the release pipeline, if a release is shipped with a vulnerable dependency, we can always trigger the next release earlier. Having Dependabot automatically merge the security updates will ensure that the next release contains the fix.
We also want to enable source code static analysis, probably with GitHub code scanning.