Keeping on top of security issues in our dependencies is a regular 2nd line chore.
The Vulnerability fix weekly tracking recurrent Trello card describes the checks we need to do weekly.
There are three main areas, as explained below.
The Digital Marketplace uses Snyk for finding and monitoring security vulnerabilities in all of our repos.
It periodically scans our
package.json files for dependency
information, then lets us know if any of those dependencies have security vulnerabilities
in the versions we use.
Members of the Digital Marketplace team who want to look at Snyk will need to be granted access; see Adding and removing access for new starters / leavers for details on how to do this.
Jenkins and its plugins need to be kept up-to-date. For that, we use the advisory feature built into the product’s web interface.
Automatic Docker image scanning is not part of the free tier of Snyk, but it can be done manually using the Snyk cli. See Snyk for Docker for more info on how it’s done.
For the images created by the digitalmarketplace-docker-base repo, the provided Makefile includes a recipe to run a scan and update the dependency database for you. Simply checkout the latest version of the repository on a machine with the Snyk CLI installed and run:
The result of the latest scan will then be on the Digital Marketplace Snyk page (the tool will not output scan results), and any dependencies with vulnerabilities will be highlighted.
On the free tier we are limited to 100 Docker image scans a month.