From b594c084b2e0586c0bb56c343b7ab9e273c67b93 Mon Sep 17 00:00:00 2001 From: Murilo Dal Ri Date: Fri, 29 Dec 2023 12:34:27 +0000 Subject: [PATCH] Add info about Snyk and slack bot --- source/manual/github.html.md | 2 +- source/manual/slack-integrations.html.md | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/source/manual/github.html.md b/source/manual/github.html.md index 8716a95416..ee8ebc2ebc 100644 --- a/source/manual/github.html.md +++ b/source/manual/github.html.md @@ -59,7 +59,7 @@ When creating a new GOV.UK repo, you must ensure it: - has a well-written README (see [READMEs for GOV.UK applications](/manual/readmes.html), or the [GDS Way guidance](https://gds-way.digital.cabinet-office.gov.uk/manuals/readme-guidance.html#writing-readmes) for general repositories) - is tagged with the [`govuk`](https://github.com/search?q=topic:govuk) topic -- has [Dependency Review](/manual/dependency-review.html) and [CodeQL](/manual/codeql.html) scans in its CI pipeline +- has [Dependency Review](/manual/dependency-review.html), [CodeQL](/manual/codeql.html) and [Snyk](/manual/snyk.html) scans in its CI pipeline - is added to the [repos.yml](https://github.com/alphagov/govuk-developer-docs/blob/main/data/repos.yml) file in the Developer Docs. - We run a [daily script](https://github.com/alphagov/govuk-saas-config/blob/main/.github/workflows/verify-repo-tags.yml) to ensure that the Developer Docs' config is in sync with GitHub. diff --git a/source/manual/slack-integrations.html.md b/source/manual/slack-integrations.html.md index 35269c3ff6..1609687b31 100644 --- a/source/manual/slack-integrations.html.md +++ b/source/manual/slack-integrations.html.md @@ -52,3 +52,14 @@ In the Release app, the badger will notify teams [depending on the dependency_te ### Configuration [Please see these docs](/manual/sentry.html#slack-alerts). When creating a rule to send a notification to Slack, you may find that you need to input a channel ID as well as channel name. The ID can be found by clicking on the channel name in Slack and scrolling down until you can see the channel ID. + +## CI Bot + +We must ensure all our repositories undergo regular security scans to establish a fundamental level of security awareness, effectively addressing vulnerabilities in both our code and third-party dependencies and mitigating the risk of Common Vulnerabilities and Exposures (CVEs). + +To facilitate this, the CI Bot informs teams about missing scans in their repos' CI pipelines. It is currently configured to check if repos have [CodeQL(SAST)](https://docs.publishing.service.gov.uk/manual/codeql.html),[Dependency Review (SCA)](https://docs.publishing.service.gov.uk/manual/dependency-review.html) and [SNYK](https://docs.publishing.service.gov.uk/manual/snyk.html) scans. + +### Configuration + +These scans must be included as jobs in the CI pipeline of [all GOV.UK repositories](https://docs.publishing.service.gov.uk/manual/github.html#create-and-configure-a-new-gov-uk-repo). +It's essential to ensure that every repository has these scans. If there's a compelling reason to exclude a repository from this check, please modify the [ignored_ci_repos.yml](https://github.com/alphagov/seal/blob/main/ignored_ci_repos.yml) file in the Seal repository. Ensure that any exclusions are accompanied by a well-justified reason.