How to manage third party software dependencies
When you develop and operate a service, it’s important to keep any third party dependencies you use up to date. By doing this, you can avoid potential security vulnerabilities.
Any automated tools you use to manage third party dependencies should be compatible with GDS supported programming languages. The tools you use should neither slow down your development process nor disclose potential security vulnerabilities to the public.
You can read more about managing software dependencies in the Service Manual, where you will find a list of common dependency management tools.
Monitoring for vulnerabilities
Ruby - GOV.UK Gem Security Checker
You should use the GOV.UK Gem Security Checker alongside your regular code checks. This will help your team move any code vulnerabilities into the team’s work backlog. You can then:
- prioritise fixes relative to other project work
- address vulnerabilities in private before making the fix public
The GDS Way does not mandate the use of Snyk: please contribute any experience you have of other dependency management tools to this document.
Snyk is being used successfully in the Digital Marketplace and GOV.UK Pay programmes. The Digital Marketplace uses Snyk as a pre-merge check on all pull requests for its public repositories. The developers also review the weekly report for new vulnerabilities, applying fixes manually instead of using Snyk’s automatic pull request feature. The reports can be configured to ignore vulnerabilities that have no fix.