Skip to content

Commit

Permalink
Merge pull request #173 from guardian/ts/dep-graph
Browse files Browse the repository at this point in the history
Update recommendations re dependency scanning
  • Loading branch information
tjsilver authored Jul 15, 2024
2 parents fe0a9f9 + 053c379 commit e063be2
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 3 deletions.
2 changes: 1 addition & 1 deletion ownership.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ N.B. This guidance only intended as a minimum baseline; in practice the expectat
### Security
- A basic [security](./security.md) assessment should be performed to understand the risks and available controls. E.g.
authentication, network security, encryption, secret management. Expert guidance from outside the team should sought for high risk applications (e.g. processing user data)
- Any dependency manifest files should be scanned using [Snyk Open Source](./snyk.md)
- Any dependency manifest files should be scanned using [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-alerts)
- Internal tools should be behind Google Authentication
- A helper exists for [Scala](https://github.com/guardian/play-googleauth) and authentication can be added to an [ALB directly](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html)
- Network-layer restrictions may also be recommended based on the context
Expand Down
2 changes: 1 addition & 1 deletion security.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Security

As an organisation we have a low information-security risk appetite. We strive
for excellence when protecting the privacy of our reader's data and the
for excellence when protecting the privacy of our readers' data and the
integrity of our systems. **The security of our applications,
infrastructure and data is the highest priority.**

Expand Down
5 changes: 4 additions & 1 deletion snyk.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
# Snyk
# Snyk (DEPRECATED)

> [!IMPORTANT]
> We recommend using [Github Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts) to analyse dependencies for vulnerabilities.
## Introduction

Expand Down

0 comments on commit e063be2

Please sign in to comment.