From 98a76ad5e87c9de21560de3908e17a1c7ad2672e Mon Sep 17 00:00:00 2001 From: TJ Silver Date: Thu, 11 Jul 2024 17:26:13 +0100 Subject: [PATCH 1/2] docs: use dependabot --- ownership.md | 2 +- security.md | 2 +- snyk.md | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ownership.md b/ownership.md index 4fbed67..edcd464 100644 --- a/ownership.md +++ b/ownership.md @@ -18,7 +18,7 @@ N.B. This guidance only intended as a minimum baseline; in practice the expectat ### Security - A basic [security](./security.md) assessment should be performed to understand the risks and available controls. E.g. authentication, network security, encryption, secret management. Expert guidance from outside the team should sought for high risk applications (e.g. processing user data) -- Any dependency manifest files should be scanned using [Snyk Open Source](./snyk.md) +- Any dependency manifest files should be scanned using [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-alerts) - Internal tools should be behind Google Authentication - A helper exists for [Scala](https://github.com/guardian/play-googleauth) and authentication can be added to an [ALB directly](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html) - Network-layer restrictions may also be recommended based on the context diff --git a/security.md b/security.md index a8939e3..f0fccdf 100644 --- a/security.md +++ b/security.md @@ -1,7 +1,7 @@ # Security As an organisation we have a low information-security risk appetite. We strive -for excellence when protecting the privacy of our reader's data and the +for excellence when protecting the privacy of our readers' data and the integrity of our systems. **The security of our applications, infrastructure and data is the highest priority.** diff --git a/snyk.md b/snyk.md index c368fe8..a10e677 100644 --- a/snyk.md +++ b/snyk.md @@ -1,4 +1,6 @@ -# Snyk +# Snyk + +[Deprecated] - We recommend using [Github Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts) to analyse dependencies for vulnerabilities. ## Introduction From 053c379336ed3fb63e20b6319aced762b46ad6dd Mon Sep 17 00:00:00 2001 From: TJ Silver Date: Mon, 15 Jul 2024 10:02:00 +0100 Subject: [PATCH 2/2] refactor: make info more prominent --- snyk.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/snyk.md b/snyk.md index a10e677..e280fa2 100644 --- a/snyk.md +++ b/snyk.md @@ -1,6 +1,7 @@ -# Snyk +# Snyk (DEPRECATED) -[Deprecated] - We recommend using [Github Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts) to analyse dependencies for vulnerabilities. +> [!IMPORTANT] +> We recommend using [Github Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts) to analyse dependencies for vulnerabilities. ## Introduction