...
Because the alerts are automated and based only on a project dependency tree, a given security issue may not affect our products for various reasons. For example, we may not using a vulnerable feature, or we may only pass restricted input to a dependency which has a vulnerability which can only be exploited by unrestricted input. Therefore, assessing the true risk of a security alert may require an investigation by an engineer to determine an appropriate response.
I’ve tried to collect current (Feb. 2022) stats on Dependabot in our repos, but this information may be incomplete:
| Lref gdrive file | ||
|---|---|---|
|
Considerations
We have many active repositories, so it would be more valuable to see vulnerability alerts for multiple projects at once.
...
We would like to integrate the strategy into our existing SDLC cadences (e.g. addressing vulnerabilities at the weekly Stack Release Meeting), rather than sending additional notifications could just be ignored.
It would be valuable for our approach to be easily adopted by other teams at Sage. Most of the technical approaches below could be easily modified to look at a different collection of repositories or specific GitHub team.
Proposals
I’ve proposed a few different options and summarized what I view to be the work required to accomplish the proposal. These are not detailed estimates and are subject to change.
...