Merge pull request #173 from guardian/ts/dep-graph

Update recommendations re dependency scanning

ownership.md

@@ -18,7 +18,7 @@ N.B. This guidance only intended as a minimum baseline; in practice the expectat
 ### Security
 - A basic [security](./security.md) assessment should be performed to understand the risks and available controls. E.g. 
 authentication, network security, encryption, secret management. Expert guidance from outside the team should sought for high risk applications (e.g. processing user data)
-- Any dependency manifest files should be scanned using [Snyk Open Source](./snyk.md)
+- Any dependency manifest files should be scanned using [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-alerts)
 - Internal tools should be behind Google Authentication 
     - A helper exists for [Scala](https://github.com/guardian/play-googleauth) and authentication can be added to an [ALB directly](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html)
     - Network-layer restrictions may also be recommended based on the context

security.md

@@ -1,7 +1,7 @@
 # Security
 
 As an organisation we have a low information-security risk appetite. We strive
-for excellence when protecting the privacy of our reader's data and the 
+for excellence when protecting the privacy of our readers' data and the 
 integrity of our systems. **The security of our applications, 
 infrastructure and data is the highest priority.**
 

snyk.md

@@ -1,4 +1,7 @@
-# Snyk
+# Snyk (DEPRECATED)
+
+> [!IMPORTANT]
+> We recommend using [Github Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) and [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts) to analyse dependencies for vulnerabilities.
 
 ## Introduction