Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submit sbt dependencies to GitHub for vulnerability monitoring #489

Merged
merged 4 commits into from
Jan 22, 2025
Merged

Submit sbt dependencies to GitHub for vulnerability monitoring #489

merged 4 commits into from
Jan 22, 2025
+30 −0

Conversation

gu-dependency-graph-integrator[bot]
Copy link
Contributor

@gu-dependency-graph-integrator gu-dependency-graph-integrator bot commented Dec 16, 2024
edited by kelvin-chappell
Loading

What does this change?

This PR sends your sbt dependencies to GitHub for vulnerability monitoring via Dependabot. The submitted dependencies will appear in the Dependency Graph on merge to main (it might take a few minutes to update).

What do I need to do?

  • Ensure that the version of sbt in the project is v1.5 or above in order for the dependency submission action to run.
  • A run of this action (Update Dependency Graph for sbt) should have been triggered (see the checks below) when the branch sbt-dependency-graph-614e4fbf854e7b9d was created. Sense check the output of the step "Log snapshot for user validation", and make sure that your dependencies look okay.
  • When you are happy the action works, remove the branch name trigger sbt-dependency-graph-614e4fbf854e7b9d from the file sbt-dependency-graph.yaml (aka delete line 6), approve this PR, and merge.

Why?

If a repository is in production, we need to track its third party dependencies for vulnerabilities. Historically, we have done this using Snyk, but we are now moving to GitHub’s native Dependabot. Scala is not a language that Dependabot supports out of the box, this workflow is required to make it happen. As a result, we have raised this PR on your behalf to add it to the Dependency Graph.

How has it been verified?

We have tested this workflow, and the process of raising a PR on DevX repos, and have verified that it works. However, we have included some instructions above to help you verify that it works for you. Please do not hesitate to contact DevX Security if you have any questions or concerns.

Further information for sbt

See the sbt workflow documentation for further information and configuration options.

@gu-dependency-graph-integrator gu-dependency-graph-integrator bot requested a review from a team as a code owner December 16, 2024 09:30
@gu-dependency-graph-integrator gu-dependency-graph-integrator bot requested a review from a team December 16, 2024 09:31
@kelvin-chappell kelvin-chappell merged commit 4c6071c into main Jan 22, 2025
4 checks passed
@kelvin-chappell kelvin-chappell deleted the sbt-dependency-graph-614e4fbf854e7b9d branch January 22, 2025 14:57
@prout-bot
Copy link

Seen on Rule Manager (created by @gu-dependency-graph-integrator[bot] and merged by @kelvin-chappell 9 minutes and 32 seconds ago) Please check your changes!

@prout-bot
Copy link

Overdue on Checker (created by @gu-dependency-graph-integrator[bot] and merged by @kelvin-chappell 15 minutes and 3 seconds ago) What's gone wrong?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kelvin-chappell kelvin-chappell kelvin-chappell approved these changes

Assignees
No one assigned
Labels
Overdue-on-Checker Seen-on-Rule Manager
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@prout-bot @kelvin-chappell