Software Production Security

Dependency Scanning

Diffgram uses Dependabot. Dependabot automatically alerts vulnerabilities affecting our repository.

Dependabot Automatic Security Updates

This allows us to automate 95% of the work of upgrading to non-vulnerable dependencies when issues are detected.

Dependency Graph

This helps us understand our dependencies. This public graph also allows you to quickly inspect underlying issues. For example, you can clearly see none of our dependences have log4j.

Inspect Dependencies By Service

You can certify the entire chain:
infra k8s helm
walrus service
dispatch - not used in production
sdk (optional)

Code Scanning

Diffgram uses codes scanning integrated into our CI process. You can inspect this on github.


Secret Scanning

We have enabled automatic monitoring for secrets in cleartext. We use a secret store to manage populating secrets.