Migrate to GitHub Native Dependabot

.github/dependabot.yml

@@ -0,0 +1,13 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/tdrs-frontend"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "pip"
+    directory: "/tdrs-backend"
+    schedule:
+      interval: "daily"

README.md

@@ -3,8 +3,7 @@
 || Raft-Tech(raft-tdp-main) |  HHS(main) |
 |---|---|---|
 |**Build**| [![CircleCI-Dev](https://circleci.com/gh/raft-tech/TANF-app/tree/raft-tdp-main.svg?style=shield)](https://circleci.com/gh/raft-tech/TANF-app/tree/raft-tdp-main) | [![CircleCI-HHS](https://circleci.com/gh/HHS/TANF-app/tree/main.svg?style=shield)](https://circleci.com/gh/HHS/TANF-app/tree/main)|
-|**Security Frontend**| [![Security-Frontend-Dev](https://snyk.io/test/github/raft-tech/TANF-app/badge.svg)](https://snyk.io/test/github/raft-tech/TANF-app)  | [![Security-Frontend-HHS](https://snyk.io/test/github/HHS/TANF-app/badge.svg)](https://snyk.io/test/github/HHS/TANF-app)|
-|**Security Backend**| [![Security-Backend-Dev](https://snyk.io/test/github/raft-tech/TANF-app/badge.svg?targetFile=tdrs-backend/requirements.txt)](https://snyk.io/test/github/raft-tech/TANF-app) | [![Security-Backend-HHS](https://snyk.io/test/github/HHS/TANF-app/badge.svg?targetFile=tdrs-backend/requirements.txt)](https://snyk.io/test/github/HHS/TANF-app)
+|**Security**| [Dependabot-Dev](https://github.com/raft-tech/TANF-app/security/dependabot) | [Advisories-HHS](https://github.com/HHS/TANF-app/security/advisories) |
 |**Frontend Coverage**| [![Codecov-Frontend-Dev](https://codecov.io/gh/raft-tech/TANF-app/branch/raft-tdp-main/graph/badge.svg?flag=dev-frontend)](https://codecov.io/gh/raft-tech/TANF-app?flag=dev-frontend) | [![Codeco-Frontend-HHS](https://codecov.io/gh/HHS/TANF-app/branch/main/graph/badge.svg?flag=main-frontend)](https://codecov.io/gh/HHS/TANF-app?flag=main-frontend)   |
 |**Backend Coverage**|  [![Codecov-Backend-Dev](https://codecov.io/gh/raft-tech/TANF-app/branch/raft-tdp-main/graph/badge.svg?flag=dev-backend)](https://codecov.io/gh/raft-tech/TANF-app/branch/raft-tdp-main?flag=dev-backend)|   [![Codecov-Backend-HHS]( https://codecov.io/gh/HHS/TANF-app/branch/main/graph/badge.svg?flag=main-backend)](https://codecov.io/gh/HHS/TANF-app/branch/main?flag=main-backend) |
 

docs/How-We-Work/team-charter/manual-checks.md

@@ -47,11 +47,11 @@ Review CircleCI output to ensure there are no issues with the code being deploye
 ### Other items to document
 
 - Non-inherited 800-53 system security controls in Open Control, OSCAL, and HHS Section 508 Product Assessment Template
-- For any security vulnerabilities that are being ignored or have false positives found via Snyk or Zap, review to ensure granular details to describe Snyk vulnerabilities, what we did to investigate, and what is the mitigation plan.
+- For any security vulnerabilities that are being ignored or have false positives found via Dependabot or Zap, review to ensure granular details to describe Dependabot/Zap vulnerabilities, what we did to investigate, and what is the mitigation plan.
 
 ## Deliverable 7: Secure
 
-Review to ensure any false positives are documented and granular details on describe the Snyk vulnerabilities, what we did to investigate, and what is the mitigation plan. These details will be documented in the readme.
+Review to ensure any false positives are documented and granular details on describe the Dependabot vulnerabilities, what we did to investigate, and what is the mitigation plan. These details will be documented in the readme.
 
 ## Deliverable 8: User Research
 

docs/Security-Compliance/Security-Controls/ra-5/index.md

@@ -19,13 +19,13 @@ e. Shares information obtained from the vulnerability scanning process and secur
 
 a. As part of the TDP Test Plan, security scans are completed on an ongoing basis, throughout the Continuous Integration (CI).  Automated scans are run on every push, pull request and merge on GitHub.  
 
-b. Security scanning is completed using OWASP ZAP dynamic security scans and Snyk vulnerability dependency scanning.  Snyk will automatically open Pull Requests if there is a vulnerability dependency.  If there are no findings, no Pull Requests will be opened.  OWASP Zap scans are the last step for each CI run.  The results for the scans are summarized and accessed through CircleCI.  If vulnerabilities are found in the scan results, the code will be prevented from being deployed until the vulnerabilities are remediated.
+b. Security scanning is completed using OWASP ZAP dynamic security scans and Dependabot vulnerability dependency scanning.  Dependabot will automatically open Pull Requests if there is a vulnerability dependency.  If there are no findings, no Pull Requests will be opened.  OWASP Zap scans are the last step for each CI run.  The results for the scans are summarized and accessed through CircleCI.  If vulnerabilities are found in the scan results, the code will be prevented from being deployed until the vulnerabilities are remediated.
 
 c. Summaries of the security scan reports are reviewed in CircleCI. (see screenshot of summaries of scan reports below)  
 
 ![screenshot - Summaries of security scan reports](images/owasp.png)
 
-d. Summaries of the security scan reports are available in CircleCI.  If there are any vulnerability dependencies found by Snyk, pull requests are automatically opened.  These pull requests are reviewed and remediated as necessary.  
+d. Summaries of the security scan reports are available in CircleCI.  If there are any vulnerability dependencies found by Dependabot, pull requests are automatically opened.  These pull requests are reviewed and remediated as necessary.
 
 e. Information from the scan reports and control assessments are shared with the appropriate security stakeholders and are available for review in CircleCI. 
 

docs/Technical-Documentation/Heuristics.md

@@ -77,7 +77,7 @@ Understanding code quality and maintainability requires examining the code itsel
       </tr>
       <tr valign="top">
         <td class="col-indicator">Code is free of known vulnerabilities </td>
-        <td class="col-good-sign">Third-party dependencies are routinely checked for known-vulnerable versions. The app as a whole is analyzed by an automated security tool (e.g., snyk and OWASP) for common kinds of vulnerabilities.
+        <td class="col-good-sign">Third-party dependencies are routinely checked for known-vulnerable versions. The app as a whole is analyzed by an automated security tool (e.g., Dependabot and OWASP) for common kinds of vulnerabilities.
         <br><br>When vulnerabilities are found, the developer team takes time to investigate the impact and remediate or mitigate the vulnerability. <br><br><b>Non dev:</b> Have the dev team create an integration with Github or MSTeams that reports whenever there are vulnerabilities. The developers should be able to discuss with you what those are and how they are being mitigated. </td>
         <td class="col-bad-sign">Vulnerable dependencies are ignored without good reason (e.g., ignoring a vulnerability in a development-only dependency may be fine). Ignoring reports from security scanning tools. </td>
       </tr>

tdrs-backend/README.md

@@ -19,9 +19,8 @@ Backend API Service for TDP. Deployed to Cloud.gov at https://tdp-backend.app.cl
 
   **Login is dependent on the [tdrs-frontend](../tdrs-frontend/README.md) service. You will need a local instance of that application running.**
 
-This project uses a Pipfile for dependency management. However, due to the limitations of the [Snyk Github Integration Supported Files](https://support.snyk.io/hc/en-us/articles/360000911957-Language-support) we must continue to support a requirements.txt for the time being.
+This project uses a Pipfile for dependency management.
 
-
 ### Local Development Options
 
 **Commands are to be executed from within the `tdrs-backend` directory**

tdrs-backend/docs/github_readme_status_badges.md

@@ -2,7 +2,7 @@
 
 ## Status
 
-There are ten dynamic status reporting badges being included in the root README.md file to provide a quick view of the following Github branches:
+There are six dynamic status reporting badges being included in the root README.md file to provide a quick view of the following Github branches:
 
 - `https://github.com/HHS/TANF-app/tree/main` 
 
@@ -13,11 +13,6 @@ The badges will report on the following criteria:
 
 - Circle CI Build Status
 
-- Frontend Snyk.io security vulnerabilities found.
-
-- Backend Snyk.io security vulnerabilities found.
-
-
 - Frontend code coverage percentage as reported to codecov.io
 
 - Backend code coverage percentage as reported to codecov.io
@@ -32,20 +27,6 @@ The badges will report on the following criteria:
      Example:
      [![CircleCI-Dev](https://circleci.com/gh/raft-tech/TANF-app/tree/raft-tdp-main.svg?style=shield)](https://circleci.com/gh/raft-tech/TANF-app/tree/raft-tdp-main)
 
-- Frontend Snyk.io security vulnerabilities found.
-   - This badge is provided directly from Snyk and by default is configured to report vulnerabilities of Node projects.
-
-     Example:
-     [![Security-Frontend-Dev](https://snyk.io/test/github/raft-tech/TANF-app/badge.svg)](https://snyk.io/test/github/raft-tech/TANF-app)
-
-- Backend Snyk.io security vulnerabilities found.
-   - This badge is provided directly from Snyk will have to directly reference the requirements.txt as defined in the path:
-
-     `tdrs-backend/requirements.txt`
-
-     Example:
-     [![Security-Backend-Dev](https://snyk.io/test/github/raft-tech/TANF-app/badge.svg?targetFile=tdrs-backend/requirements.txt)](https://snyk.io/test/github/raft-tech/TANF-app) 
-
 - Code Coverage percentage as reported to codecov.io will be the same process for the frontend and backend.
    - This badge is provided directly from codecode.io and will be tied to tags for frontend and backend reports that have been uploaded to its server.
 
@@ -55,7 +36,12 @@ The badges will report on the following criteria:
 
 ## Decision
 
-This was done to facilitate a quick view of the status of the default Github repositories. 
+This was done to facilitate a quick view of the status of the default Github repositories.
+
 ## Consequences
 
-Due to limitations imposed by Github and occasional slow sever response times from GitHub, some badges might require a page refresh to load.
+Due to limitations imposed by Github and occasional slow server response times from GitHub, some badges might require a page refresh to load.
+
+## Dependabot Security Analysis
+
+Dependabot status badges have not yet been updated to work with GitHub Native Dependabot per [this open issue](https://github.com/dependabot/dependabot-core/issues/1912). In lieu of these badges links are provided to the Dependabot alerts page on raft-tech and the Security Advisories page on HHS.

tdrs-frontend/package.json

@@ -44,7 +44,6 @@
     "test": "react-scripts test",
     "test:cov": "react-scripts test --coverage --watchAll",
     "test:ci": "CI=1 react-scripts test --coverage",
-    "snyk": "snyk test",
     "test:accessibility": "concurrently -k -s first 'yarn start:ci' 'wait-on http://localhost:3000/ && yarn pa11y-ci --config .pa11yci.json'",
     "eject": "react-scripts eject",
     "lint": "eslint src/ && echo 'Lint complete.'"
@@ -82,7 +81,6 @@
     "prettier": "^2.0.5",
     "redux-devtools-extension": "^2.13.8",
     "redux-mock-store": "^1.5.4",
-    "snyk": "^1.385.0",
     "wait-on": "^5.3.0"
   },
   "jest": {