Open KellyAH opened 1 year ago
Good call!
Will this give us anything more in addition to what we get from Dependabot? I feel like Dependabot is marginally better because it keeps itself up-to-date with the latest CVEs, while Brakeman is a gem that we would have to always keep updating to make sure not to miss anything.
For reference, here are the Dependabot security alerts we've been getting (and resolving): https://github.com/zinc-collective/convene/security/dependabot?q=is%3Aclosed
The difference between the two is that brakeman
provides static analysis, whereas dependabot
bumps packages.
The security side of Dependabot also performs static analysis and sends security alerts.
The only difference I see with Brakeman is that Brakeman can do it on not-checked-in code, while Dependabot only runs on code that's already in the repo.
Here is an example Dependabot security alert for Convene from 3 days ago:
Oh, and Dependabot looks at JavaScript and Ruby issues, while Brakeman I think is Ruby-only.
Gotcha, so you're suggesting we use the GitHub Code Scanning feature (which uses something called CodeQL
under the covers? https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) as opposed to brakeman
. I don't have a preference either way.
@KellyAH would continuing to rely on Dependabot's security alerts satisfy your goals with this ticket?
try running brakeman on PRs to catch changes that are security issues.