generated from coulomb/repo-seed
Add security architecture pattern infospace
This commit is contained in:
@@ -0,0 +1,42 @@
|
||||
# Pattern: Dependency Update Bot
|
||||
|
||||
Status: seed
|
||||
Readiness target: RL2 private beta
|
||||
Primary owners: product repos
|
||||
Genesis family: Supply chain
|
||||
|
||||
## Problem
|
||||
|
||||
Dependency updates become stale, risky, and manual when there is no
|
||||
repeatable intake and test path.
|
||||
|
||||
## Context
|
||||
|
||||
Use this pattern for application dependencies, container base images,
|
||||
GitHub Actions, Helm charts, Terraform providers, and platform tools.
|
||||
|
||||
## Forces
|
||||
|
||||
- Automated updates reduce known-vulnerability exposure.
|
||||
- Update noise can overwhelm reviewers.
|
||||
- Security updates need prioritization.
|
||||
- Tests must catch compatibility breakage.
|
||||
|
||||
## Solution
|
||||
|
||||
Use automated dependency update pull requests with grouping rules,
|
||||
security prioritization, test gates, review ownership, and release notes.
|
||||
|
||||
## Verification
|
||||
|
||||
- Dependency inventory is covered by update automation.
|
||||
- Security updates are surfaced with priority.
|
||||
- Update PRs run relevant tests.
|
||||
- Deferred updates have owner and reason.
|
||||
|
||||
## Related Patterns
|
||||
|
||||
- Protected Main Branch.
|
||||
- SBOM-per-Release.
|
||||
- Quarantined Build Runner.
|
||||
- Supply-Chain Provenance.
|
||||
Reference in New Issue
Block a user