New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add Snyk scans to docs #9856
chore: add Snyk scans to docs #9856
Conversation
c52559d
to
055d261
Compare
Codecov Report
@@ Coverage Diff @@
## master #9856 +/- ##
==========================================
- Coverage 45.96% 45.87% -0.10%
==========================================
Files 227 227
Lines 27279 27373 +94
==========================================
+ Hits 12538 12556 +18
- Misses 13039 13113 +74
- Partials 1702 1704 +2
Continue to review full report at Codecov.
|
054c058
to
9589f77
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow! This is awesome, @crenshaw-dev. Great work.
I have a few comments, which are not formal requests for change, just thoughts that came to my mind.
@jannfis can you take another look? |
.github/workflows/update-snyk.yaml
Outdated
stable_release="release-$(sed -E 's/\.[0-9]+$//g' VERSION)" | ||
git checkout "$stable_release" | ||
make snyk-report |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall the cronjob run off the stable release branch or off master
?
I think it should run off the master
branch (so we don't have to cherry-pick changes to the script), and store the results in the stable branch. 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah wow, good point. Will fix.
Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> dashboard Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> cron job Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> more consistent formatting Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> clarification Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> sarif files Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> fix naming, fix doc get text Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> apply suggestions Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> blarn Signed-off-by: CI <michael@crenshaw.dev> ignore errors due to vulns Signed-off-by: CI <michael@crenshaw.dev> specify target branch in script Signed-off-by: CI <michael@crenshaw.dev> don't checkout before running script Signed-off-by: CI <michael@crenshaw.dev> make sure dest dir exists Signed-off-by: CI <michael@crenshaw.dev> fix workflow Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
4893ce8
to
bc0a0f8
Compare
@jannfis the |
We need to add this to a security policy as well.
|
@todaywasawesome I'll create a follow-up PR for those. Tracked here: #10030 @jannfis is this otherwise good to go? |
Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with some minor nits and/or questions
Thanks @crenshaw-dev !
Signed-off-by: CI <michael@crenshaw.dev>
Some of these path names lead to:
Files with |
We currently maintain Snyk scans in the Snyk web UI.
This has two downsides:
By generating the scans weekly and placing them in the docs, we can give users a reasonably up-to-date picture of the state of the currently-maintained versions of Argo CD.
The new page looks like this:
Each link goes to a scan detail page that looks like this: