Update security standards#125
Conversation
| - Use [Hakiri](https://hakiri.io/) for Ruby projects | ||
| #### Dependabot | ||
|
|
||
| Enable [Dependabot](https://docs.github.com/en/code-security/dependabot) in each repository to automatically raise pull requests when vulnerable or outdated dependencies are detected. Before enabling Dependabot, ensure the [dependency graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) is enabled. |
There was a problem hiding this comment.
This is good guidance, but the setting might be about to be enforced - it might be worth saying something about this in here?
There was a problem hiding this comment.
If only I'd waited an hour!
Added a note. Once it's enabled, I'll create another PR to tweak the text further.
| | Setting | Purpose | | ||
| |---|---| | ||
| | `save-exact=true` | Saves exact dependency versions rather than version ranges. Prevents version-range drift from silently pulling in a later, potentially vulnerable release. | | ||
| | `ignore-scripts=true` | Prevents npm from running lifecycle scripts such as `preinstall` and `postinstall` during package installation. This blocks a common vector for arbitrary code execution from malicious or compromised packages. Note: some packages that compile native bindings require lifecycle scripts to function. Test your project after enabling this setting and explicitly allow any packages that genuinely need it. | |
There was a problem hiding this comment.
explicitly allow any packages that genuinely need it
Could be helpful to mention / link to how to do this?
| ### Package Management | ||
| - Use NPM. | ||
| - Use npm. | ||
| - Use a package.json and package-lock.json for repeatable builds. |
There was a problem hiding this comment.
We could maybe add a comment here to stress using npm ci. Something like:
- Use
npm ciinstead ofnpm installin CI/CD pipelines and production builds. It installs exactly what is in the lockfile and fails if the lockfile is out of sync withpackage.json.
There was a problem hiding this comment.
Good suggestion. Updated.
| latest patches. | ||
| - Separate dependencies and dev dependencies. | ||
| - Update your version number inline with the [semantic versioning standard](https://semver.org/). | ||
|
|
There was a problem hiding this comment.
Possible additional standard:
- Vet third-party packages before installing them. Check the repository, maintainer history, download statistics and open issues.
There was a problem hiding this comment.
Could link to this guidance?
https://defra.github.io/software-development-standards/guides/choosing_packages/
There was a problem hiding this comment.
Added new point as suggested directing to the guide.
3 participants
Updating security standards to make greater reference to GitHub Advanced Security and npm config.