Confirm
529
edits
Changes
no edit summary
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
* [ ] enable security scanning of 3rd-party libraries and dependencies
* For node.js, use [`npm audit`](https://docs.npmjs.com/cli/audit) with [audit-filter](https://github.com/mozilla-services/audit-filter) to review and handle exception exceptions (see example in [speech-proxy](https://github.com/mozilla/speech-proxy/pull/6377/files#diff-b9cfc7f2cdf78a7f4b91a753d10865a2))
* For Python, enable pyup security updates:
* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
* notify secops@mozilla.com to enable the integration in pyup
* [ ] Keep 3rd-party libraries up to date (in addition to the security updates)
* For NodeJS applications, use [dependabot](https://dependabot.com/), [renovate](https://renovateapp.com/) , or [GreenKeeper](https://greenkeeper.io/)
* For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks
* For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions
