-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Snyk security scanning #8657
Comments
Snyk provides their own Github actions that seems to integrate well with Github Code Scanning UI: I think this is a good candidate to have Snyk better integrated in ArgoCD CI |
Good point. The main considerations for those built in actions are:
If the answer to either of those is yes, then there's a question for the single-container implementer: can the CLI calls still be made to produce sarif files for GitHub to consume? |
Hi, Omer here from Snyk. I would want to peak this up :) Has there been any progress since March? |
Hey, @OmerKahani, would love to have some help! There's been a bit of progress. I added a GitHub workflow to write Snyk scans and summaries to the docs: #9856 It runs weekly to avoid using up the private scan limit and to avoid pushing too many commits to master. Unfortunately, the scan failed this weekend. I still haven't had a chance to look into it: https://github.com/argoproj/argo-cd/actions/workflows/update-snyk.yaml Ideally I'd still love to bundle scan reports with releases. But for now I've been focusing on the new docs page. :-) |
@crenshaw-dev can you please add me to the Snyk org, so I can debug the script locally? |
Summary
I think new Snyk scans/reports should be added to the CI. This is a top-level ticket to cover the several types of reports I think should be added.
Motivation
The Snyk check that is currently in the Argo CD CI has two shortcomings:
The Snyk UI is also not sufficient. It requires a lot of manual intervention, such as:
Proposal
Snyk scans require a Snyk token (stored in GitHub secrets). That secret is not populated for pull requests. So these
scans should run for pushes to master. They should also run on pushes to the release-* branches.
snyk test
- Addsnyk test
check to CI #8653snyk code test
- Addsnyk code test
check to CI #8654snyk container test
- Addsnyk container test
check to CI #8655snyk iac test
- Addsnyk iac test
check to CI #8656On each release, a scan report should be generated for each scan supported by snyk-to-html, and it should be added to the release assets. For scans not supported by snyk-to-html, we should consider uploading the raw JSON as a release asset.
A .snyk file should be added to the repo root to keep track of "ignore rules" for irrelevant vulnerabilities. The ignore rules contain a text field where maintainers should write justifications for ignoring each high-severity vulnerability.
These checks should run nightly for the three most recent release-* branches. That will help us catch issues with the currently-maintained releases early and avoid extra work when we need to cut a patch release.
The text was updated successfully, but these errors were encountered: