README.md

Starter Kits

This page contains starter kit information, which represent templates, code and configuration to help you get started quickly with continuous testing best practices described in this overall guide. Please see categories and links below for details.

Software Composition Analysis

This section contains links to sample actions, templates and configurations that analyze and validate composition of Open Source Software (OSS) components in software systems. Identifying software and licensing vulnerabilites and ensuring routine software updates is an OSS cybersecurity best practice.

Dependabot

A GitHub ecosystem tool for dependency version and security vulnerability analysis.

Automated Dependency Updates

This Dependabot task provides an automated check for OSS component updates and automatically creates pull requests to commit new versions.

Starter Kit:

• SLIM Starterkit Python -- Dependabot Script to install in your GitHub repo

To leverage Dependabot, make sure to do the following:

1. Discuss with your development team the cybersecurity best practice to regularly update OSS to latest versions and seek consensus on a workflow to accept proposed updates.
2. Add Dependabot automation to your repository, either via the admin console or manually (choose one):

Shortcut
Copy the pre-set configuration to an identical path in your repository, e.g. .github/dependabot.yml.

• Admin console: (requires admin rights)
  1. Proceed to enable Dependabot alerts through GitHub Settings UI.
• Manually: (approach available to all committers)
  1. Create an issue and an issue branch to implement a code change. Checkout the issue branch.
  2. Copy the Dependabot configuration file from one of the SLIM Starterkit repos -- for example, dependabot.yml in the Python Starterkit -- into the root of your repository at .github/dependabot.yml.

3. Modify Dependabot configurations for your project:

Requirement
Set properties to match your repository setup, including core packaging system.

• Set the package-ecosystem property to match your packaging system in dependabot.yml.
• Set the target-branch to the name of your default branch in dependabot.yml.
• Optionally, value-added features may be set, including such settings as scheduling, a strategy for versioning and pull request reviewers.

4. Dependabot is now installed and detections can be tracked through the dependency graph at Insights -> Dependency graph -> Dependabot. Pull Requests also will include automatically created Dependabot merges.

Automated Security Updates

This Dependabot task automates security scanning for known vulnerabilities in OSS components and automatically creates pull requests to update flagged components.

Dependabot Security Updates requires Dependabot Automated Dependency Updates (see above). Although technically part of the same automation stack, it's enabled through the GitHub Settings UI. Optionally, dependency updates can be disabled so that only security updates create pull requests.

Requirement
Install and set up the Starter Kit for Dependabot Automated Dependency Updates.

To leverage this template, make sure to do the following:

1. Discuss with your development team the cybersecurity best practice to regularly scan OSS components for security flaws and seek consensus on a workflow to accept proposed updates.
2. Enable Security Updates:
   1. At Settings -> Code security and analysis -> Dependabot, select the Enable button to turn on Dependabot security updates.

Requirement
Admin rights are necessary to modify Code security and analysis settings.

3. Modify Dependabot configurations for your project: (optional)
   1. If only security-related pull requests are desired, set the open-pull-requests-limit property to 0 for updates block(s).