Investigate Integration of OSV-Scanner with Django Template Project for Enhanced Dependency Security

[zahraaalizadeh]

🎯 Aim

The purpose of this issue is to investigate the feasibility and added value of integrating the osv-scanner into our Django template project. This exploration will assess whether osv-scanner can complement or enhance the security measures provided by GitHub Dependabot by identifying known vulnerabilities in the dependencies used by our Django projects.

📕 Context

Our Django template project is designed to streamline the setup of new Django projects with predefined configurations. These projects often utilize various external packages, necessitating robust security and dependency management practices. Currently, we use GitHub Dependabot to monitor and update dependencies based on known vulnerabilities. As we continually update and expand our dependencies, we are interested in assessing whether integrating osv-scanner can provide additional security benefits.

📝 Relevant resources/doc's/people

• OSV-Scanner GitHub Repository
• GitHub Dependabot Documentation

✅ Acceptance Criteria

1. Comparative Analysis: An analysis comparing osv-scanner with GitHub Dependabot, focusing on features, efficiency, and detection capabilities.
2. Architecture Decision Record (ADR): Document the results of the osv-scanner analysis in an ADR to formally capture the decision-making process and outcomes.

[G-Rath]

Note that our current tool for vulnerability scanning is osv-detector, which is something of a precursor to the scanner - it's expected at some point that we'll switch to using the scanner but for now we should start with the detector for consistency across our stacks.

You can see how we configure it in CI in our rails-template here