[4] Set up GitHub Dependabot for dependency scanning

[ninamak]

Goals

• Set up dependency scanning to ensure we're checking for vulnerabilities with any of the libraries we use.

Tasks

• Research how other 18F teams have set up GitHub Dependabot (e.g., TTAHub)
• Research on GitHub docs on how to configure it
• Set it up

Conditions of Acceptance

• We receive confirmation that we're set up
• We don't get any errors when it runs

Additional Context

• We don't want to set this up in the 18F repo; we'd want to set this up in the HHS repo [4] Move repo to HHS GH (public) #83

Resources

• Decide on security analysis tools #36

[carjug]

Dependabot has been enabled on the repository, but I have yet to see it work. I merged a test PR with a package in the requirements.txt that is out of date and has a security vulnerability (according to this snyk page: https://snyk.io/vuln/SNYK-PYTHON-KERAS-1536745), I set it at v2.4.3, and I'm not sure how often dependabot runs, so I'm going to leave as is over the weekend and see if we get any alerts by Monday. Will obviously revert this change when we see if dependabot is working correctly.

[carjug]

Woo!!

Deleting Keras from the requirements.txt as it was just done as a test of dependabot

[carjug]

@amymok @alexsoble @ninamak dependabot set up! verify at https://github.com/HHS/OPRE-OPS/pulls where you can see an automated dependabot PR for updating the django package.

[alexsoble]

@carjug Woooohoooo! LGTM! As well as checking out the automated dependabot PR I took a look at #128, looks good! 🎉

[amymok]

Yay! LGTM! 🎉 ❣️

[ninamak]

I don't have much to add here, so if everyone else is 👍 , then LGTM!