Skip to content

Update scanning information #306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gyro2009 wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Update scanning information #306

gyro2009 wants to merge 6 commits into from

Conversation

@gyro2009
Copy link
Contributor

@gyro2009 gyro2009 commented Jul 2, 2025

No description provided.

@snyk-io-eu
Copy link

snyk-io-eu bot commented Jul 2, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Licenses 0 0 0 0 0 issues
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

penwith
penwith previously approved these changes Aug 19, 2025
View reviewed changes
Copy link
Contributor

@penwith penwith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.
Second paragraph under Preferred Security Tooling doesn't read very well, so could refine

software-engineering-policies/CloudDevelopment/Deployment.md Outdated

Before releasing applications and infrastructure into our cloud environments, it is important that we scan our assets for any potential vulnerabilities and remediate issues that exceed our risk appetite. Our current preffered security tooling for the various scanning outlets is [Snyk.io](https://app.eu.snyk.io/login) which is connected to our Github repos for Static Analysis testing and Software Composistion testing as a PR is raised. However it is greatly encouraged that the below scanning is added to your pipelines using the [provided task](https://github.com/UKHO/ukho-azure-pipeline-scan-task) so that any vulnerabilities exceeding your risk appetite do not reach your cloud environment.

Its important to understand that the tooling doesnt have context so can sometimes provide false positives or your will have a need to be excused from a issue. In these cases you can reach out to our [Cyber Security team](mailto:ukho-itso@ukho.gov.uk), your lead developer or one of the security champions for advice on mitigation/suppression of the issue.
Copy link
Contributor

@penwith penwith Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spelling: you will / your will

martyn-fewtrell
martyn-fewtrell previously approved these changes Aug 19, 2025
View reviewed changes
Copy link
Contributor

@martyn-fewtrell martyn-fewtrell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned by James looks good with exception of the wording for para 2

@gyro2009 gyro2009 dismissed stale reviews from martyn-fewtrell and penwith via 75a696d September 2, 2025 14:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@penwith penwith Awaiting requested review from penwith

@martyn-fewtrell martyn-fewtrell Awaiting requested review from martyn-fewtrell

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gyro2009 @penwith @martyn-fewtrell