Evaluate dependency management & security scanning tools

[timflannagan]

Evaluate dependency management & security scanning tools

We should investigate and potentially integrate tools to automate dependency updates and perform security vulnerability scanning. This will help keep dependencies up to date and reduce security risks.

Tools to consider

• Dependabot – Automated PRs for dependency updates
• Renovate – More configurable dependency update automation
• Trivy – Security vulnerability scanning for containers and dependencies

[timflannagan]

Thoughts @nfuden @lgadban @josh-pritchard?

[nfuden]

I believe that this project should have some form of vulnerability scanning.

Given this I believe that trivy fits the bill as a free option that can be combined with dependabot.

[nfuden]

We may want to rework the scanner setup (its deep in some legacy code currently).
Perhaps a survey of what other projects are using for vulnerability detection that doesnt require additional cost.

[timflannagan]

See #10580 which removed the broken security related Makefile targets from the repository. Updated the title to reflect the want/need for some form of dependency management and/or vulnerability scanning in the short/medium term.