Table of contents

Deploy fixes for a security vulnerability

When responding to a security incident, we should review the changes in private before deploying them, so that we don’t accidentally disclose the vulnerability.

To do this, push branches to the AWS CodeCommit backup of the repository, rather than the normal repository on

This repository should be up to date as of the previous release, but will be missing any unreleased commits that are on master. This is fine as you don’t want to deploy these.

Deploy process

  1. Ensure nobody else deploys the app until you’ve confirmed the vulnerability is fixed.

  2. Review the pull request on AWS CodeCommit

  3. Create a release tag manually in git. This should follow the standard format release_X. Tag the branch directly instead of merging it.

  4. Don’t use the release app. Go directly to the deploy_app Jenkins job, and check “DEPLOY_FROM_AWS_CODECOMMIT”.

After deploying

  1. Ensure the vulnerability is fixed.

  2. Push the branch and tag to

  3. Merge the branch into master.

  4. Record the missing deployment in the release app.

This page was last reviewed . It needs to be reviewed again by the page owner #govuk-2ndline.