get to prod tasks
This commit is contained in:
71
tasks/web-production/20-dependency-scanning.md
Normal file
71
tasks/web-production/20-dependency-scanning.md
Normal file
@@ -0,0 +1,71 @@
|
||||
# 20. Dependency Vulnerability Scanning
|
||||
|
||||
meta:
|
||||
id: web-production-20
|
||||
feature: web-production
|
||||
priority: P1
|
||||
depends_on: []
|
||||
tags: [security, dependencies, production]
|
||||
|
||||
objective:
|
||||
- Implement continuous dependency vulnerability scanning and automated updates
|
||||
|
||||
deliverables:
|
||||
- npm audit integration in CI
|
||||
- Snyk or Dependabot monitoring
|
||||
- Automated security patch PRs
|
||||
- SBOM (Software Bill of Materials) generation
|
||||
|
||||
steps:
|
||||
1. Set up automated scanning:
|
||||
- Enable Dependabot alerts in GitHub repository settings
|
||||
- Configure Dependabot version updates (weekly)
|
||||
- Add Snyk integration for deeper analysis
|
||||
- Configure Snyk to fail builds on high+ severity
|
||||
2. Add CI scanning:
|
||||
- `pnpm audit --audit-level=high` in GitHub Actions
|
||||
- `snyk test` in CI pipeline
|
||||
- Block PR merge on high/critical vulnerabilities
|
||||
3. Implement automated patching:
|
||||
- Dependabot auto-PR for patch updates
|
||||
- Snyk auto-fix PRs for fixable vulnerabilities
|
||||
- Manual review required for major version updates
|
||||
4. Generate SBOM:
|
||||
- Use cyclonedx or spdx-sbom-generator
|
||||
- Generate on every release
|
||||
- Store with release artifacts
|
||||
5. Audit current dependencies:
|
||||
- Run `pnpm audit` and fix all high/critical issues
|
||||
- Check for unmaintained packages
|
||||
- Review direct dependencies for necessity
|
||||
- Remove unused dependencies
|
||||
6. Set up alerting:
|
||||
- Slack notification for new vulnerabilities
|
||||
- Weekly vulnerability report
|
||||
- Emergency alert for critical CVEs
|
||||
|
||||
tests:
|
||||
- Security: Introduce vulnerable package → CI blocks merge
|
||||
- Integration: Verify Dependabot creates PR for outdated package
|
||||
- Audit: SBOM generated and contains all dependencies
|
||||
|
||||
acceptance_criteria:
|
||||
- Zero high or critical vulnerabilities in dependencies
|
||||
- Dependabot monitoring all dependencies
|
||||
- CI fails on high+ severity vulnerabilities
|
||||
- SBOM generated for every release
|
||||
- Automated PRs for security patches within 24 hours
|
||||
- Weekly dependency update report
|
||||
- All unused dependencies removed
|
||||
|
||||
validation:
|
||||
- `pnpm audit` → 0 high/critical findings
|
||||
- Check GitHub Security tab → no open alerts
|
||||
- Merge PR with vulnerable package → CI fails
|
||||
- Create release → SBOM artifact attached
|
||||
|
||||
notes:
|
||||
- Some vulnerabilities may be in devDependencies — these are lower priority
|
||||
- Focus on production dependencies first
|
||||
- Consider using pnpm overrides for emergency patches
|
||||
- Review major version updates carefully for breaking changes
|
||||
Reference in New Issue
Block a user