As [everyone], I don't want security vulnerabilities from out-of-date dependencies

[afeld]

We need to ensure that software packages with known vulnerabilities are updated in a timely manner. In the two days since I got added as a GitHub owner yesterday, I have gotten 33 "One of your dependencies has a security vulnerability" emails from GitHub 🙀

• [x] Read Binding Operational Directive (BOD) 19-02 and ensure our plans are in line with it
• [x] Read the OWASP Top Ten entry about it
• [x] Go through @saracope's Open Source Security talk
• [x] Write announcement for TTS
• [x] Send announcement to TTS
• [x] Archive repositories that are no longer maintained, to cut down on noise
• [x] Update the script to do this en masse
• [x] Enable automated security fixes
• [x] Update Before You Ship and Handbook - https://github.com/18F/before-you-ship/pull/404 and https://github.com/18F/handbook/pull/1457
• [x] Figure out a good way to review open vulnerabilities
  • [x] Open Dependabot pull requests - set up a reminder to check weekly
  • [ ] Vulnerabilities without pull requests
  • [ ] A dashboard?
• [x] Go back and do the archiving and automation enabling for our other organizations - will do through #83

[afeld]

Ha, totally forgot I pitched a 10x project around this.

[afeld]

Unfortunately, not seeing an API/setting to enable automated security fixes en masse. Emailed GitHub Support about it. Could maybe click through with Puppeteer in the meantime.

[afeld]

From GitHub Support:

You're in luck—the Enable automated security fixes and Disable automated security fixes API endpoints are currently available for developers to preview.

In addition, the enable-security-alerts-for-org.js script in the github/enable-security-alerts-sample repository can be used to enable security vulnerability alerts in all of the repositories in a given organization.

[afeld]

Announcement letter for TTS.

[afeld]

Archived 18F repositories

• 10x-Modern-Contract-Vehicles
• 10x-post-product-development
• 10x-translation-service
• 10X-Users-First
• Accessibility_Reviews
• acq-presentations
• acq-stack-track-app
• acq-tech-presentations
• acqstack-journeymap
• acquisitions.18f.gov
• afrs-pa
• agency-ocio-pa
• agile
• AK-modular-experience
• alaska-child-welfare
• an_introduction_to_python
• API-Usability-Testing
• atc-trello
• atul-docker-presentation
• billability
• bpa-fedramp-dashboard
• cf-cd-example
• cf-nuxeo-demo
• cf-redirect
• cg-bootstrap-concourse-ami
• cg-client-event-tracker
• cg-demos
• cg-deploy-powerdns
• cg-deploy-rds-broker
• cg-deploy-uaa-guard-broker
• cg-design
• cg-harden-boshrelease
• cg-nessus-agent-boshrelease
• cg-nessus-manager-boshrelease
• cg-postmortems
• cg-snort-boshrelease
• cg-ssp
• cg-windows-stemcell-builder
• cg-workshop
• chandika
• chat
• clinical-trials-prototype
• clone_army
• cloud-starterkit
• CMS-APIs
• code-of-conduct
• codereviews
• coffeemate
• concourse-broker
• connect.gov
• continua11y
• continua11y-dashboard
• core-values
• couch-rules-engine
• credentials-rotator
• data-ingest-scaffolding
• design-projects
• Design-Wiki
• devops-workshop
• disa-eagency
• discover-our-work
• docker-fugacious
• domain-gather
• domain-scan-orchestration
• dos-ops-center-kms
• dotgov-list-node
• dtmo-jtr-prototype
• dtmo-pa
• easy-wcag
• ekip-api
• elasticsearch-rails-ha-gem
• emoji_search
• ethics
• exit-ramp
• fbopen-docs
• fbopen-widget
• federalist-404-page
• federalist-docs
• federalist-themes
• ffd-microsite
• fpki-testing
• FS-Open-Forest-Demo-Repo
• fugacious-landing
• g-content
• gapps-download
• google-speech-poc
• grouplet-playbook
• gsa-adv-cart-analysis-private
• guides
• hs-chargemaster
• identity-analysis-sandbox
• identity-deed
• identity-design
• identity-devops-private.example
• identity-equifax-api-client-gem
• identity-experian-client-api-gem
• identity-fraud-detection
• identity-intro
• identity-oidc-ios
• identity-playbook
• identity-proofer-gem
• identity-redshift
• identity-transunion-client-api-gem
• identity-usability-testing
• informed-consent-form
• its70-fs-epermit-scale-up
• javascript-lessons
• joining-18f
• kubernetes-broker-exporter
• learn-github-playground
• login-data-explorer
• login-gov-support
• marketing-materials
• micropurchase-archive
• navair-pa
• nginx-buildpack-release
• NIH-PHAROS
• nsf-unified-design-system
• oauth2-proxy-boshrelease
• ogp-payroll
• omb-eregs
• omb-eregs-static-prototypes
• omniauth_login_dot_gov
• onboarding-documents
• ops-improvements
• Paid-Leave-Prototype
• participation-lenses
• performance-gov-research
• PriceHistoryAPI
• product-training
• project-guide
• pubmed-prototypes
• pubmed-tests
• pyfpds
• raktabija
• s3-encryptor
• service-inventory-oce-pa
• sheet2docs
• sidekiq-ent
• slack-export-handling
• spelunker
• sql_insert_writer
• strategy-internal
• stylelint-rules
• template-form
• test
• test-netlify-cms
• test2
• tock-blocks
• transformation-research
• trello-card-tracker
• tts-buy-challengegov-ideation
• tts-buy-ckan-multitenant
• tts-buy-cloud-marketplace-dev-team
• tts-buy-cloudgov-3pao
• tts-buy-code-review
• tts-buy-codegov
• tts-buy-crowdsourced-pentest
• tts-buy-datagov-ckan
• tts-buy-datagov-technical-support-services
• tts-buy-development-desgin-research-bpa
• tts-buy-login-engineering
• tts-buy-searchgov-security-layer
• tts-buy-ttswide-3pao
• tts-dogfood
• tts-internal-buy-starter-repo
• tts-public-comments
• unified-analytics-dashboard
• united
• us_web_design_standards_gem
• us-federal-holidays
• usda-snap-pa
• uswds-rails-gem
• uswds-simple-sass
• web-design-standards-ux
• wg-working-groups
• wic_rules
• zap-analyzer

Will be going through and unarchiving ones I know to be in use, and as requested by TTS.

[afeld]

Proposal to make the letter a blog post: https://github.com/18F/blog-drafts/issues/743

[afeld]

Done! Open issues / pull requests are linked.

[afeld]

Code for this lives in ghad.