[FOLIO-1240] Ensure that devs have access to GH security alerts for their repos Created: 15/Jul/17  Updated: 13/Dec/18  Resolved: 04/May/18

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Jason Skomorowski Assignee: David Crossley
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: 7 hours, 15 minutes
Original estimate: Not Specified

Sprint:

 Description   

There is a tool that can check if any software in a npm dependency tree has known vulnerabilities. Could we incorporate this into our CI workflow so we'll receive notification when our package.json would lead to installation of questionable software?

The alerts apply for all repos that have a package.json JavaScript or Gemfile Ruby.



 Comments   
Comment by Jason Skomorowski [ 15/Jul/17 ]

LOL the security bug got the HTTPS port for a number. I am very easily amused.

Comment by Jason Skomorowski [ 17/Nov/17 ]

I wonder if this obviates the need for this? It seems like it'd be doing a similar thing / perhaps is even based on it?

https://github.com/blog/2470-introducing-security-alerts-on-github

Comment by John Malconian [ 01/May/18 ]

Yeah I think the Github Security alerts supercede this. We have them enabled on all repositories, however, I'm not sure they are visible to those who need to know about them. Assigning to David Crossley to investigate.

Comment by David Crossley [ 03/May/18 ]

It is wider that just Stripes, so i moved this issue to the general FOLIO Jira project.
(Sorry about your beaut issue number Jason.)

Comment by David Crossley [ 03/May/18 ]

The notifications currently only go to admins. So i will visit each relevant repository to configure it.

After that people with such access will receive the notifications and see them under "Insights : Dependency graph".

Comment by David Crossley [ 04/May/18 ]

Done.

Comment by David Crossley [ 13/Dec/18 ]

Now finished revisiting all repositories to enable teams to be aware of vulnerability alerts.

If there is one, you will now see it on the home page and the dependency graph, and can configure how notifications are received.

Generated at Thu Feb 08 23:11:52 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.