Setup automated security audit

Question

Setup automated security audit

Closed this issue 4 years ago · 3 comments

At present we don't have an automated security audit which could fix issues automatically from dependencies which might have security vulnerabilities.

GitHub has a built in system using dependabot or alternatively we can use a different tool such as Snyk or renovate.

Need to discuss here and then implement what we think is most appropriate.

Reference: #7

Answer 1 · 2021-01-15T04:46:24.000Z

@santino any strong feelings? I'm in favour of trying to get the native dependabot working just so we keep the repo as simple as possible, but would be good to have your thoughts.

Note: appropriate permissions are required to set up the security aspect (i believe).

Answer 2 · 2021-01-15T10:11:11.000Z

I was browsing through the settings and thinking about adding this in fact.
I think we start with built-in GitHub dependabot and see how it goes.

Answer 3 · 2021-01-15T10:24:23.000Z

I have activated this and it started raising PRs; so I'm going to close this issue :)