Securing Your Dependencies
Almost all software developed today includes open source dependencies, often hundreds, possibly thousands of packages. Some of them are included directly, but many more are included indirectly, as "transitive dependencies". That is, dependencies that are included by a dependency. Ultimately, over 90% of most shipped software is in the form of these open source dependencies.
As a result, it's crucial for developers to be able to make good decisions about dependencies as early as possible — before the dependencies are shipped into production. This prevents known vulnerabilities in dependencies from becoming vulnerabilities in your applications.
This tutorial will guide you through the different rules provided by Minder and show you how to deploy these profiles using Minder.
What is Dependency Security?
Dependency security involves:
- Ensuring that you do not include malicious packages, or packages with known security vulnerabilities, into your project
- Ensuring that the dependencies that you use are being actively developed, and being developed with best practices, so that if there is a security vulnerability, it will be patched and released quickly.
- Ensuring that you keep up-to-date with releases, so that when security vulnerabilities are found and fixed, that you apply those changes quickly, before an attacker can take advantage of them in your software.
How Minder helps secure your dependencies
Minder can examine pull requests that introduce new dependencies, or new versions of existing projects. It can analyze the quality of dependencies and warn when a pull request introduces high-risk changes.
For example, Minder can:
- Ensure that pull requests do not introduce dependencies with known vulnerabilities
- Ensure that pull requests do not introduce dependencies with risk indicators from Stacklok Insight which can indicate a poorly maintained package or a dependency with few other users
- Ensure that dependencies are automatically being updated with Dependabot
By default, we provide a profile called "Dependency Security" that includes these checks.
Pull Request Vulnerability Check
Pull requests can introduce new dependencies with known security vulnerabilities.
Minder's pr_vulnerability_check
rule checks dependencies introduced by pull requests against the osv.dev database of dependencies.
Stacklok Insight Check
Pull requests can introduce new dependencies on packages that are not actively maintained, or whose development does not follow best practices.
Minder's pr_trusty_check
rule checks dependencies introduced by pull requests against Stacklok Insight. A new dependency's Stacklok Insight indicators must pass the thresholds you configure, meaning that Stacklok Insight can verify the package's authenticity and activity.
Dependabot is Enabled
Dependabot is a GitHub feature that automatically submits pull requests to update your dependencies to the latest version. This can help keep your project secure by avoiding dependencies with security vulnerabilities.
Minder's dependabot_configured
rule ensures that Dependabot is configured for your Python, JavaScript, or Go repositories.
Setup
Through the Minder UI, a profile can be created to verify that pull requests are checked for dependency problems, and that Dependabot is enabled in your repositories:
- Select "Profiles" from the menu on the left.
- Select "New Profile" from the top right hand corner of the screen.
- From the list of profiles, select "Dependency Security".
- Click "Apply" to create the profile.