From 4cf538a583e1d11bd6ef62cf36fd9788207931f7 Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Mon, 26 Aug 2024 11:26:46 -0400 Subject: [PATCH 1/3] Add sync job postings ADR --- .adr-dir | 1 + .../decisions/0007-synchronize-job-postings-from-talent-repo.md | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 .adr-dir diff --git a/.adr-dir b/.adr-dir new file mode 100644 index 00000000..da5cac6b --- /dev/null +++ b/.adr-dir @@ -0,0 +1 @@ +docs/architecture/decisions diff --git a/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md b/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md index 6d56fe2f..1c22b38f 100644 --- a/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md +++ b/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md @@ -19,6 +19,8 @@ and training. A tool will synchronize job posting content in the Talent team repository to the TTS website repository. +The + ## Consequences Job content will need to be edited in one place that the TTS Talent From fc423d3f4ad24e35e6b0b23c1c323049a03e82e4 Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Tue, 27 Aug 2024 14:12:58 -0400 Subject: [PATCH 2/3] Update ADR --- .../0007-synchronize-job-postings-from-talent-repo.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md b/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md index 1c22b38f..a91bfff8 100644 --- a/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md +++ b/docs/architecture/decisions/0007-synchronize-job-postings-from-talent-repo.md @@ -9,18 +9,16 @@ Accepted ## Context Job postings from the -[Talent team repository](https://github.com/18F/join.tts.gsa.gov) need to -be posted on the new TTS website. The best case outcome would minimize -redundancy (i.e., duplicate postings, duplicate files, etc.), rework, -and training. +[Talent team repository](https://github.com/18F/join.tts.gsa.gov) +need to be posted on the new TTS website. The best case outcome would +minimize redundancy (i.e., duplicate postings, duplicate files, etc.), +rework, and training. ## Decision A tool will synchronize job posting content in the Talent team repository to the TTS website repository. -The - ## Consequences Job content will need to be edited in one place that the TTS Talent From 41f4dd98379559bf49cc5d9af041bcf5333e58ee Mon Sep 17 00:00:00 2001 From: Wes Dean Date: Tue, 27 Aug 2024 14:19:01 -0400 Subject: [PATCH 3/3] ADR to remove Snyk --- ...0006-remove-snyk-in-favor-of-dependabot.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 docs/architecture/decisions/0006-remove-snyk-in-favor-of-dependabot.md diff --git a/docs/architecture/decisions/0006-remove-snyk-in-favor-of-dependabot.md b/docs/architecture/decisions/0006-remove-snyk-in-favor-of-dependabot.md new file mode 100644 index 00000000..5fa42670 --- /dev/null +++ b/docs/architecture/decisions/0006-remove-snyk-in-favor-of-dependabot.md @@ -0,0 +1,37 @@ +# 6. Remove Snyk in favor of Dependabot + +Date: 2024-07-17 + +## Status + +Accepted + +## Context + +Snyk, a security scanning tool, is being used to monitor for +exploitable dependencies and notify us when they're found in +our repository. + +Grype is another, similar tool that runs in a CI/CD also +scans for dependency issues. Unlike Snyk, Grype is an +OSS tool (even though we were using a free tier of Snyk's +otherwise paid service). + +Dependabot also scans for dependencies that need to be +updated; however, it's configured to run on a periodic +basis (e.g., weekly). Therefore, even if a Pull Request +(PR) isn't being considered, Dependabot will still run to +look for dependencies that need to be updated and create +PRs to include those updates. + +## Decision + +Remove Snyk in favor of Dependabot and Grype. + +## Consequences + +We have the best both worlds in that Grype runs when commits +are pushed to PRs and Dependabot runs regularly even when +there are no new commits to scan. Vulnerability data +aren't being sent to Snyk, nor are we dependent upon a +commercial platform for dependency scanning.