Versions Compared

Old Version 2

changes.mady.by.user Nick Grosenbacher

Saved on

compared with

New Version Current

changes.mady.by.user Kevin Boske

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document will address

Jira Legacy
serverSystem JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverIdba6fb084-9827-3160-8067-8ac7470f78b2
keyPLFM-6419
.

Table of Contents
minLevel1
maxLevel7

Summary of Issue

GitHub provides the “Dependabot” service on our repositories, where a project’s dependencies will be scanned to see if any dependencies are vulnerable to known security issues. If a security issue is discovered, engineers with sufficient permissions will see an alert on the repository page, and may receive an email notification. If possible, Dependabot may also create a pull request.

...

  • We would like to integrate the strategy into our existing SDLC cadences (e.g. addressing vulnerabilities at the weekly Stack Release Meeting), rather than sending additional notifications that could just be ignored.

  • It would be valuable for our approach to be easily adopted by other teams at Sage. Most of the technical approaches below could be easily modified to look at a different collection of repositories or specific GitHub team.

...

  • GitHub App + granted permissions on Sage-Bionetworks GitHub Organization

  • Code to fetch and process vulnerability data on GitHub, create Jira issues

(https://blog.developer.atlassian.com/creating-a-jira-cloud-issue-in-a-single-rest-call/#:~:text=1 call is all it takes to create,through using Basic Auth with an API token.)

Option 4: Manually Inspect Alerts at Regular Cadence

...