Configure dependabot to check for updates to dockerfiles

govuk-one-login / tech-docs

Documentation for integrating with GOV.UK One Login

https://docs.sign-in.service.gov.uk/

MIT License

8 stars 3 forks source link

Configure dependabot to check for updates to dockerfiles #213

Closed ethanmills closed 4 months ago

ethanmills commented 5 months ago

Why

To make it easier to maintain up-to-date dependencies

What

Configure dependabot to raise update PRs against docker base images

Technical writer support

None

How to review

Basic syntax check

Changelog

Not required

Confirm

[x] I have checked if any docs change here also requires updates to other repositories (ADRs / RFCs, README.md, Team Manual, elsewhere in these docs)
[x] Where there is any overlap I have updated or opened a PR for corresponding changes

huwd commented 4 months ago

Spoke to @andyloughran about this, @ethanmills you might wanna check that GitHub can get access to scan this properly. Andy reckoned that apparently DepBot doesn't look at the static docker file it looks at the built artifact.

And if the registery isn't the standard docker.io registery then what depbot can do here might be limited by the access it has to AWS.... which should be push only here as part of least privilidge.

@andyloughran has a plan here, so perhaps chat with him before hitting merge?

andyloughran commented 4 months ago

I've reviewed by plan as part of LS-2262, and I think the only thing that's missing will be metadata regarding the deltas. AWS::Inspector will look deeper inside the container that dependabot is able to; so I think this configuration recommendation is good for now.

However, I would remove references to 'BAU' - as this is not a practice our official documentation should endorse. All changes should have an associated JIRA ticket.

ethanmills commented 4 months ago

BAUs removed.