docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon radius-project

Designing a mechanism for Dependabot issues/alert handling

Open jasonviviano opened this issue 1 year ago • 1 comments

Description

Currently the repo has no mechanism to handle vulnerability alerts from Dependabot alerts such as:

https://github.com/radius-project/docs/security/dependabot

We need to decide how Dependabot handles credentials and what the performance requirements are for tests if any.

Describe the solution you'd like

We need a solution that incorporates discussions that will be held on this with the goal being a strategy that looks from the top to bottom approach on what configurations we need to consider as well as the considerations and current approaches that other Radius repos have taken.

Examples can range from manual mechanism to GitHub Action configurations such as:

  • PR in our dashboard repo: https://github.com/radius-project/dashboard/pull/58

AB#11616

jasonviviano avatar Mar 25 '24 17:03 jasonviviano

@jasonviviano We should probably take the following actions to address this:

  1. Create separate issues (reported as bugs) for each of the dependabot alerts so that they may be investigated in case of vulnerabilities.
  2. Take a more holistic approach to figure out a strategy for how we should be configuring and using dependabot in the Docs repo (it is turned off today) - repurpose this issue to track this effort.

willtsai avatar Mar 25 '24 18:03 willtsai