Idea: check GitHub repos for security issues, and report them to the relevant team's Slack channel. This would help us spot the issues faster.
Dependabot normally handles this for us by opening pull request to apply security patches, but this doesn't catch everything:
- Dependabot updates sometimes fail before the PR is opened
- Security alerts are sometimes raised before a patch is available, and we may want to take some other action
- Some security alerts come from code scanning
- There are some issues with applying security patches with uv - unsure if these are still reported?
Idea: check GitHub repos for security issues, and report them to the relevant team's Slack channel. This would help us spot the issues faster.
Dependabot normally handles this for us by opening pull request to apply security patches, but this doesn't catch everything: