Closed nimphal closed 3 years ago
For our repos that use Gemfiles, we can use Bundlers internal security audit capability, something similar to https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/.circleci/config.yml#L403-L412
For our repos that use package.json, we could use something like this script here (required audit-ci.json) https://github.com/ministryofjustice/hmpps-book-secure-move-frontend/blob/main/package.json#L267
We probably want to do these as Github actions to follow the existing patterns.
https://security-guidance.service.justice.gov.uk/vulnerability-scanning-and-patch-management-guide/#the-base-principles
For our repos that use Gemfiles, we can use Bundlers internal security audit capability, something similar to https://github.com/ministryofjustice/hmpps-book-secure-move-api/blob/main/.circleci/config.yml#L403-L412
For our repos that use package.json, we could use something like this script here (required audit-ci.json) https://github.com/ministryofjustice/hmpps-book-secure-move-frontend/blob/main/package.json#L267
We probably want to do these as Github actions to follow the existing patterns.