Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Submit sbt dependencies to GitHub for vulnerability monitoring #253

Merged
merged 2 commits into from
Oct 21, 2024

Conversation

gu-dependency-graph-integrator[bot]
Copy link
Contributor

@gu-dependency-graph-integrator gu-dependency-graph-integrator bot commented Oct 17, 2024

What does this change?

This PR sends your sbt dependencies to GitHub for vulnerability monitoring via Dependabot. The submitted dependencies will appear in the Dependency Graph on merge to main (it might take a few minutes to update).

Why?

If a repository is in production, we need to track its third party dependencies for vulnerabilities. Historically, we have done this using Snyk, but we are now moving to GitHub’s native Dependabot. Scala is not a language that Dependabot supports out of the box, this workflow is required to make it happen. As a result, we have raised this PR on your behalf to add it to the Dependency Graph.

How has it been verified?

We have tested this workflow, and the process of raising a PR on DevX repos, and have verified that it works. However, we have included some instructions below to help you verify that it works for you. Please do not hesitate to contact DevX Security if you have any questions or concerns.

Further information for sbt

See the sbt workflow documentation for further information and configuration options.

What do I need to do?

  • Ensure that the version of sbt in the project is v1.5 or above in order for the dependency submission action to run.
  • A run of this action should have been triggered when the branch was created. Sense check the output of "Log snapshot for user validation", and make sure that your dependencies look okay.
  • When you are happy the action works, remove the branch name sbt-dependency-graph-bbc9cfe33ad7185b trigger from the the yaml file (aka delete line 6), approve, and merge.

@gu-dependency-graph-integrator gu-dependency-graph-integrator bot requested a review from a team as a code owner October 17, 2024 09:30
Following the PR instructions, I’m removing the test branch trigger from
this workflow so it only runs on main.

I didn’t sense-check the dependency output this time, but since it was
working before I assume it still is.
Copy link
Contributor

@emdash-ie emdash-ie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, plus it’s only a small tweak to the existing workflow. I haven’t sense-checked the dependency graph output, but since it worked before I assume it still does.

@emdash-ie emdash-ie merged commit 65ddcd9 into main Oct 21, 2024
1 check passed
@emdash-ie emdash-ie deleted the sbt-dependency-graph-bbc9cfe33ad7185b branch October 21, 2024 11:19
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant