Consider how dependency risk could be look into #9
Assignees
Comments
Ryan-Andrews99
moved this from Backlog
to Ready for Development
in @Ryan-Andrews99's Learning Time Project
Ryan-Andrews99
moved this from Ready for Development
to In Progress
in @Ryan-Andrews99's Learning Time Project
Ryan-Andrews99
moved this from In Progress
to Ready for Development
in @Ryan-Andrews99's Learning Time Project
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What:
Each repo contains dependencies with versions which require regular updating for security fixes
Why:
This could allow for an overview of any security risks relating to dependencies to be tracked, outside of services like dependabot etc
How (ACs/ Tech notes):
AC:
When:
A repo has an out of date dependency (missing a critical security patch)
I:
am able to see this highlighted in the web app
And: ...
When:
A repo has an dependency that is up to date/ has no known security patches to be applied
I:
There is no false positive warning
And: ...
Notes:
The big undecided thing with this ticket is how dependency risk is calculated/ retrieved. ie when do we know when to flag a risk? Could this involve the use of something external?
The text was updated successfully, but these errors were encountered: