How to manage third party software dependencies
When you develop and operate a service, it’s important to keep any third party dependencies you use up to date. By doing this, you can avoid potential security vulnerabilities.
Any automated tools you use to manage third party dependencies should be compatible with GDS supported programming languages. The tools you use should neither slow down your development process nor disclose potential security vulnerabilities to the public.
You can read more about managing software dependencies in the Service Manual, where you will find a list of common dependency management tools.
Update dependencies frequently
Update your dependencies frequently rather than in ‘big bang’ batches. This works well with continuous delivery principles, ensuring the changes introduced are small and can be automatically tested.
Tools exist that will scan GitHub repositories and raise PRs when dependency updates are found. Teams at GDS are using:
- Dependabot - used by GOV.UK, GOV.UK Pay and GovWifi. The GOV.UK team manual contains guidance on using dependabot and how the PRs raised should be reviewed
- PyUp - a Python dependency checker. Used by Digital Marketplace and GOV.UK Notify, PyUp will monitor for updates and vulnerabilities
- Greenkeeper - a npm dependency checker used by the GOV.UK Verify team on the Node.js client for the Verify Service Provider
All the above tools are free to use on public repositories.
Docker base images
Like dependencies, Docker base images are also frequently updated. If you run containers as part of your service, you should regularly rebuild your images (and base images) to include the latest updates. Automate this process where possible.
Monitoring for vulnerabilities
You should monitor for potential vulnerabilities in every layer of your technology stack. This is not straightforward but tooling exists to help. The Service Manual provides guidance on browser technology, tooling and mailing lists you can subscribe to.
Most of the tooling that helps you stay on top of dependency updates will also highlight vulnerabilities. Additional tooling includes:
- GitHub security alerts - This can be configured per repository in the settings tab of the GitHub UI. When GitHub discovers or is informed about a vulnerability, it will email an alert to the repository owner and users with admin access
- Snyk - Snyk is capable of detecting vulnerabilities in a variety of languages including all the GDS supported programming languages. Snyk can be configured to raise PRs, email regular reports and alert you when new vulnerabilities are detected
Always use official base images. Docker Hub regularly scans official images and the results can be viewed by logging into Docker Hub. If you do not regularly update your base image, you must ensure a manual process exists to monitor and prioritise fixes for vulnerabilities detected.
The Digital Marketplace team uses Snyk container vulnerability management tooling to regularly scan base images.
Minimising what you need to monitor
Minimise the things you need to monitor by minimising dependencies where practically possible. For example, if running containers, make sure you pick the smallest base images.
Also consider managed solutions where possible. For example:
- Use GOV.UK PaaS buildpacks so you do not have to monitor for Operating System (OS), runtime or programming language vulnerabilities
- Consider managed container orchestration technology such as AWS Fargate or similar so you do not have to monitor for vulnerabilities in your OS or control plane
This guidance is inline with the GDS Reliability Engineering strategic principle of use fully managed cloud services by default.