You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To find the security alerts for a repo, first go to the Security tab of the repo and then the Code Scanning option under the Vulnerability Alerts in the sub menu. This is where [all alerts][alerts] can be found.
35
+
To find the security alerts for a repo, go to the Security tab of the repo and select the Code Scanning option in the Vulnerability Alerts sub menu. This is where [all alerts][alerts] can be found.
36
36
37
37
Additionally, when a PR is created, Brakeman scans the diff to identify vulnerabilities in the new code. These [PR specific alerts][pr-alerts] can be found on the Checks tab of the PR: select "Code scanning results" and then "Brakeman".
38
38
@@ -41,12 +41,12 @@ Additionally, when a PR is created, Brakeman scans the diff to identify vulnerab
41
41
42
42
## Dealing with false positives
43
43
44
-
There will be times when Brakeman flags up false positives in your code. You
44
+
Brakeman may occasionally flag up false positives in your code. You
45
45
should try to refactor the code to satisfy Brakeman in such a way that it would
46
-
also pass a code review. There is no benefit to refactoring the code just for
46
+
also pass a code review. There's no benefit to refactoring the code just for
47
47
Brakeman, if the resulting code is harder to understand.
48
48
49
-
There is an [example of refactoring the Content Store][content-store-example]
49
+
There's an [example of refactoring the Content Store][content-store-example]
50
50
to satisfy Brakeman where the resulting code could be considered slightly less
51
51
elegant, but still suitable without having to ignore the warning.
52
52
@@ -60,13 +60,11 @@ useful tool for ignoring warnings:
60
60
$ brakeman -I
61
61
```
62
62
63
-
It will help you decide what to do with each individual warning step by step.
63
+
It'll help you decide what to do with each individual warning step by step.
64
64
65
-
If you do decide to ignore a warning, you must include a note outlining why
66
-
it is a false positive and not a security vulnerability.
65
+
If you decide to ignore a warning, you must include a note outlining why
66
+
it's a false positive and not a security vulnerability.
67
67
68
68
## Dealing with Security Alerts
69
69
70
-
If you do decide to ignore a Brakeman alert, as described above, you will also need to close the security alert in GitHub.
71
-
72
-
Alerts can be resolved by dismissing the alert as a false positive. You must include a note outlining why it is a false positive and not a security vulnerability.
70
+
See [this guidance on security alerts](/manual/security-alerts.html).
Copy file name to clipboardExpand all lines: source/manual/codeql.html.md
+3-10
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ type: learn
7
7
parent: "/manual.html"
8
8
---
9
9
10
-
[CodeQL][codeql] is a Static Application Security Testing (SAST) tool which checks for vulnerability signatures in a repository's codebase. It is [configured as a reusable workflow][reusable-codeql] and should be included as a job in the CI pipeline of all GOV.UK repositories. A reusable workflow design was selected so that enhancements to the scanning process can be managed centrally.
10
+
[CodeQL][codeql] is a Static Application Security Testing (SAST) tool which checks for vulnerability signatures in a repository's codebase. It's [configured as a reusable workflow][reusable-codeql] and should be included as a job in the CI pipeline of all GOV.UK repositories. The reusable workflow enables enhancements to the scanning process to be managed centrally.
To find the security alerts for a repo, first go to the Security tab of the repo and then the Code Scanning option under the Vulnerability Alerts in the sub menu. This is where [all alerts][codeql-alerts] can be found.
29
+
To find the security alerts for a repo, go to the Security tab of the repo and select the Code Scanning option in the Vulnerability Alerts sub menu. This is where [all alerts][codeql-alerts] can be found.
30
30
31
31
Additionally, when a PR is created, CodeQL scans the diff to identify vulnerabilities in the new code. These [PR specific alerts][codeql-pr-alerts] can be found on the Checks tab of the PR: select "Code scanning results" and then "CodeQL".
32
32
@@ -35,14 +35,7 @@ Additionally, when a PR is created, CodeQL scans the diff to identify vulnerabil
35
35
36
36
## Dealing with Security Alerts
37
37
38
-
Currently, CodeQL is configured to [only identify vulnerabilities of a high severity and high precision][codeql-config]. Additionally, it will not fail the test when vulnerabilities are found: it will only create an alert and move on. This is to reduce the number of false positives and avoid wasting developer time. Over time, we intend to tune the dial to make CodeQL more strict.
39
-
40
-
CodeQL will provide a recommendation on how to resolve a vulnerability along with references for additional research.
41
-
42
-
Alerts can be resolved either by fixing the identified vulnerability or by dismissing the alert as a false positive. More details on this can be found in the [CodeQL documentation][codeql-docs]. If you do decide to ignore a warning, you must include a note outlining why it is a false positive and not a security vulnerability.
Copy file name to clipboardExpand all lines: source/manual/dependency-review.html.md
+3-9
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ type: learn
7
7
parent: "/manual.html"
8
8
---
9
9
10
-
The [Dependency Review action][dependency-review-action] is a Software Composition Analysis (SCA) scan which diffs the old code and new code to identify whether there are any changes to the dependencies included in the project. It is [configured as a reusable workflow][reusable-workflow] and should be included as a job in the CI pipeline of all GOV.UK repositories. A reusable workflow design was selected so that enhancements to the scanning process can be managed centrally.
10
+
The [Dependency Review action][dependency-review-action] is a Software Composition Analysis (SCA) scan which diffs the old code and new code to identify whether there are any changes to the dependencies included in the project. It's [configured as a reusable workflow][reusable-workflow] and should be included as a job in the CI pipeline of all GOV.UK repositories. The reusable workflow enables enhancements to the scanning process to be managed centrally.
Alerts can always be found in the job logs. Additionally, there is a job summary displayed beneath the GitHub Action run. Here, changes are summarised along with any vulnerabilities found.
27
+
Alerts can always be found in the job logs. There's also a job summary displayed beneath the GitHub Action run where changes are summarised, along with any vulnerabilities found.
28
28
29
29
## Dealing with Security Alerts
30
30
31
-
Currently, Dependency Review is [configured to find "critical" issues][dependency-review-config]. If issues are found, the check automatically 'fails' and therefore blocks merging of the PR. We therefore want to avoid false positives and wasting developer time, so have set the bar high and only alert on critical issues. Over time, we intent to tune the dial so this becomes more strict.
32
-
33
-
Alerts can be resolved only by fixing the issue and running the tests again. Vulnerability alerts provide a link to the [GitHub advisory][gh-advisory] database where advice on resolving the issue can be found. Dismissing an alert requires adding the GitHub Advisory Database ID (GHSA) to the inline configuration [via the `allow-ghsas` property][skip-alert]. As the workflow is a communal resource, this should be done sparingly and include a well detailed comment about why it is being skipped.
Copy file name to clipboardExpand all lines: source/manual/security-alerts.html.md
+4-10
Original file line number
Diff line number
Diff line change
@@ -21,13 +21,7 @@ When a security alert is raised, follow these steps:
21
21
22
22
### Dismissing Alerts
23
23
24
-
When dismissing an alert, choose one of the predefined reasons in GitHub:
25
-
26
-
- False positive
27
-
- Used in tests
28
-
- Won't fix
29
-
30
-
You must add a comment explaining your reasoning and any supporting investigation. This ensures traceability and context for future reviewers.
24
+
When dismissing an alert, choose one of the predefined reasons in GitHub. You must add a comment explaining your reasoning and any supporting investigation. This ensures traceability and context for future reviewers.
31
25
32
26
---
33
27
@@ -42,15 +36,15 @@ Brakeman alerts are static analysis results for Ruby applications.
42
36
43
37
### CodeQL (Code Scanning)
44
38
45
-
CodeQL identifies vulnerabilities of **high severity and precision**.
39
+
CodeQL is currently [configured to only identify vulnerabilities of high severity and precision](https://github.com/alphagov/govuk-infrastructure/blob/f9c3b2bddf407d78c04552563a4ba23a89c8af61/.github/workflows/codeql-analysis.yml#L24-L35).
46
40
47
41
- CodeQL does **not block builds**; it simply creates alerts for later review.
48
-
- Alerts include recommendations and references for resolving issues.
42
+
- Alerts include recommendations and references for resolving issues. More details on this can be found in the [CodeQL documentation](https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository).
49
43
- You may fix or dismiss alerts, but dismissals **must** include a comment explaining why.
50
44
51
45
### Dependency Review
52
46
53
-
Dependency Review checks for known critical vulnerabilities in pull requests.
47
+
Dependency Review checks for known vulnerabilities in pull requests. It's currently [configured to find "critical" issues](https://github.com/alphagov/govuk-infrastructure/blob/main/.github/workflows/dependency-review.yml).
54
48
55
49
- It **blocks merges** when critical issues are found.
56
50
- Alerts are resolved by updating the dependency and re-running the checks.
0 commit comments