The criteria mentioned in the following document have been evaluated. They are repeated below. The linked document provides further explanations of them.
MUST ensure it has sufficient security scanning
MUST only be applied where there is no manual deployment step
MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail
SHOULD ensure it has sufficient test coverage
SHOULD only automatically patch where the dependency version bump is patch or minor
MUST ensure it has sufficient security scanning
SNYK has been removed. Dependency Review Scan and Dependabot will be the the only SCA tools for the main branch. The security impact of that is being discussed (see the link above).
Nevertheless, the following comment has been made in the document linked above: "However as outlined in 2023-06-18 SCA tool evaluation for GOV.UK our current tool Dependabot outperformed other scans. Hence it’s unlikely that other options (Semgrep, Bundler Audit) will add value.".
In my opinion this shows sufficient security scanning is being done, and the teams responsible for the infrastructure can easily add additional SCA tools in the future, if the decision is made that a single tool is not enough.
MUST only be applied where there is no manual deployment step
There is no manual step for this repository.
MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail
There is a branch protection rule for the main branch which checks if "Dependency Review scan / dependency-review-pr" was successful for the branch being merged.
SHOULD ensure it has sufficient test coverage
The test coverage as measured by simplecov is 98.98%. This is above 95% mentioned in the linked document.
SHOULD only automatically patch where the dependency version bump is patch or minor
This change only merges patch and minor releases, as explained in the comment to one of the examples in the linked document.
⚠️ This repo is Continuously Deployed: make sure you follow the guidance ⚠️
Follow these steps if you are doing a Rails upgrade.
What
Enable automerging of external dependencies
Why
To enable automerging of external dependencies in order to lessen the maintenance burden of developers.
Trello ticket
The criteria mentioned in the following document have been evaluated. They are repeated below. The linked document provides further explanations of them.
MUST ensure it has sufficient security scanning
SNYK has been removed. Dependency Review Scan and Dependabot will be the the only SCA tools for the main branch. The security impact of that is being discussed (see the link above).
Nevertheless, the following comment has been made in the document linked above: "However as outlined in 2023-06-18 SCA tool evaluation for GOV.UK our current tool Dependabot outperformed other scans. Hence it’s unlikely that other options (Semgrep, Bundler Audit) will add value.".
In my opinion this shows sufficient security scanning is being done, and the teams responsible for the infrastructure can easily add additional SCA tools in the future, if the decision is made that a single tool is not enough.
MUST only be applied where there is no manual deployment step
There is no manual step for this repository.
MUST ensure that branch protection rules are in place that prevent pushes to main if required status checks fail
There is a branch protection rule for the main branch which checks if "Dependency Review scan / dependency-review-pr" was successful for the branch being merged.
SHOULD ensure it has sufficient test coverage
The test coverage as measured by
simplecov
is 98.98%. This is above 95% mentioned in the linked document.SHOULD only automatically patch where the dependency version bump is patch or minor
This change only merges patch and minor releases, as explained in the comment to one of the examples in the linked document.