Add Ruby gem review checkbox to Security section of MR template
Description of the proposal
Not so much a coding style proposal but I'd like to propose the addition of a new checkbox under the Security section for reviewing new Ruby gem additions and possibly major version bumps. Whilst we don't add new Ruby gems frequently, bringing in third party code is always a potential risk and one we should treat with care.
https://docs.gitlab.com/ee/development/code_review.html#the-responsibility-of-the-merge-request-author mentions among other items:
Maintainers must check before merging if the merge request is introducing new vulnerabilities, by inspecting the list in the Merge Request Security Widget. When in doubt, a Security Engineer can be involved. The list of detected vulnerabilities must be either empty or containing:
The addition of a library (Ruby gem, JS lib etc)
But I'd like to make this more official by updating the MR template to ensure it is given sufficient attention. Even better would be to get Danger to handle this for us if possible.
-
Mention the proposal in the next backend weekly call and the #backend channel to encourage contribution -
Proceed with the proposal once 50% of the maintainers have weighed in, and 80% of the votes are 👍 -
Once approved, mention it again in the next backend weekly call and the #backend channel