Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submit sbt dependencies to GitHub for vulnerability monitoring #227

Merged
merged 2 commits into from
Jun 25, 2024
Merged

Submit sbt dependencies to GitHub for vulnerability monitoring #227

merged 2 commits into from
Jun 25, 2024

Conversation

gu-dependency-graph-integrator[bot]
Copy link
Contributor

What does this change?

This PR sends your sbt dependencies to GitHub for vulnerability monitoring via Dependabot.

Why?

If a repository is in production, we need to track its third party dependencies for vulnerabilities. Historically, we have done this using Snyk, but we are now moving to GitHub’s native Dependabot. Scala is not a language that Dependabot supports out of the box, this workflow is required to make it happen. As a result, we have raised this PR on your behalf to add it to the Dependency Graph.

How has it been verified?

We have tested this workflow, and the process of raising a PR on DevX repos, and have verified that it works. However, we have included some instructions below to help you verify that it works for you. Please do not hesitate to contact DevX Security if you have any questions or concerns.

What do I need to do?

  • A run of this action should have been triggered when the branch was created. Go to Insights -> Dependency graph and sense check a few of your dependencies to make sure they show up. There may be a short delay between submission and them appearing in the UI.
  • When you are happy the action works, remove the branch name sbt-dependency-graph-400b747286592f2atrigger from the the yaml file (aka delete line 6), approve, and merge.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 25, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: f64f8c7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 25, 2024
edited
Loading

Deploy build 645 of tools::anghammarad to CODE

All deployment options

From guardian/actions-riff-raff.

@tjsilver tjsilver enabled auto-merge June 25, 2024 14:28
@tjsilver tjsilver merged commit 20cdd49 into main Jun 25, 2024
3 checks passed
@tjsilver tjsilver deleted the sbt-dependency-graph-400b747286592f2a branch June 25, 2024 14:29
akash1810 added a commit that referenced this pull request Jan 6, 2025
@akash1810
chore: Remove Snyk monitor workflow
dbeecd4 
Since #227 we have been submitting reports to GitHub's dependency graph.

The Snyk workflow has been failing for a while on `main` (https://github.com/guardian/anghammarad/actions/workflows/snyk.yml). As mentioned in #227:

> Historically, we have done this using Snyk, but we are now moving to GitHub’s native Dependabot.

This change removes the Snyk workflow as an alternative to fixing it.
@akash1810 akash1810 mentioned this pull request Jan 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjsilver tjsilver tjsilver approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tjsilver