Improve Snyk security scanning

[crenshaw-dev]

Summary

I think new Snyk scans/reports should be added to the CI. This is a top-level ticket to cover the several types of reports I think should be added.

Motivation

The Snyk check that is currently in the Argo CD CI has two shortcomings:

1. It checks only for new issues, rather than setting a threshold (we want a threshold of "no 'High' severity issues")
2. It does not generate a report

The Snyk UI is also not sufficient. It requires a lot of manual intervention, such as:

1. Manually adding new images for each patch release across the currently-supported minor versions
2. Manually deleting old images
3. Manually adding "ignore" rules for irrelevant vulnerabilities where the reasons for ignoring are not 1) versioned, 2) visible to anyone who does not have UI access or does not want to fuss with it

Proposal

Snyk scans require a Snyk token (stored in GitHub secrets). That secret is not populated for pull requests. So these
scans should run for pushes to master. They should also run on pushes to the release-* branches.

• snyk test - Add snyk test check to CI #8653
• snyk code test - Add snyk code test check to CI #8654
• snyk container test - Add snyk container test check to CI #8655
• snyk iac test - Add snyk iac test check to CI #8656
• Create issues to replicate this work in Argo Rollouts

On each release, a scan report should be generated for each scan supported by snyk-to-html, and it should be added to the release assets. For scans not supported by snyk-to-html, we should consider uploading the raw JSON as a release asset.

A .snyk file should be added to the repo root to keep track of "ignore rules" for irrelevant vulnerabilities. The ignore rules contain a text field where maintainers should write justifications for ignoring each high-severity vulnerability.

These checks should run nightly for the three most recent release-* branches. That will help us catch issues with the currently-maintained releases early and avoid extra work when we need to cut a patch release.

[leoluz]

Snyk provides their own Github actions that seems to integrate well with Github Code Scanning UI:

• https://github.com/snyk/actions#github-code-scanning-support

I think this is a good candidate to have Snyk better integrated in ArgoCD CI

[crenshaw-dev]

Good point. The main considerations for those built in actions are:

1. Can they produce reports which could be added as release assets?
2. Would running multiple actions be as fast as running a single container with multiple CLI calls?

If the answer to either of those is yes, then there's a question for the single-container implementer: can the CLI calls still be made to produce sarif files for GitHub to consume?

[OmerKahani]

Hi,

Omer here from Snyk. I would want to peak this up :)

Has there been any progress since March?

[crenshaw-dev]

Hey, @OmerKahani, would love to have some help!

There's been a bit of progress. I added a GitHub workflow to write Snyk scans and summaries to the docs: #9856

It runs weekly to avoid using up the private scan limit and to avoid pushing too many commits to master.

Unfortunately, the scan failed this weekend. I still haven't had a chance to look into it: https://github.com/argoproj/argo-cd/actions/workflows/update-snyk.yaml

Ideally I'd still love to bundle scan reports with releases. But for now I've been focusing on the new docs page. :-)

[OmerKahani]

@crenshaw-dev can you please add me to the Snyk org, so I can debug the script locally?