Security alerts ala Github
Description
Github has just released a new feature that will provide security alerts for dependencies in your repositories. This would be really useful for our on-premise Gitlab installation.
https://github.com/blog/2470-introducing-security-alerts-on-github
Proposal
Develop complementary capability to Github's security alerts feature that mines local repository 3rd party library dependencies, identifies security vulnerabilities based on published CVEs and sends alerts to a configurable global email address (separate from the main address as there will be a different team responsible for tracking and following up on remediations) along with the repository owner.
Links / references
https://github.com/blog/2470-introducing-security-alerts-on-github
Documentation blurb
See the github documentation for what I would suggest.
Overview
This should be largely self-explanatory - it would benefit all developers of software by increasing the security in depth.
Use cases
This would benefit all software developers who use 3rd party open source code as well as those who are writing shared libraries for 3rd parties.
Feature checklist
-
Enumerate repository dependencies -
Scan 3rd party libraries for vulnerabilities such as the CVE list -
Email project owner and a configured email address once a vulnerability has been identified -
Email should include references to remedial options -
Provide a dashboard listing projects with suspected vulnerabilities, ordered by severity and/or count of vulnerabilities along with date discovered