-
Notifications
You must be signed in to change notification settings - Fork 18
Add snyk.io to pipeline? #1
Comments
A couple of sample Snyk results on Groupon projects (though typically you'll run Snyk from the CLI): https://snyk.io/test/github/groupon/nlm |
Definitely interested! Two questions:
|
Great! Re json, you can specify a --json argument to 'snyk test' to get json output. Good point on it missing from the docs, we'll fix that. Re difference, the main delta is remediation. That said, the tools operate a bit differently. There are a handful of issues in our DB that aren't in nodesecurity (our DB is at https://github.com/Snyk/vulndb), and we've encountered various packages where we reported issues while they did not. |
It's on the list for pipeline now; I'll get it added probably next week and update codeburner as soon as the new gem is published. Thanks for the submission! |
I started working on this integration today, unfortunately I hit a snag. I ran snyk against about a dozen different javascript apps, some of which have known vulns caught by nodesecurity or retire. I have yet to get snyk to report a single result, unfortunately. I even tried it against the snyk-demo-app I found reference to with no luck. I'm running npm 3.3.3 and node 0.12.7 if it helps... |
One thought: do you run Snyk.io after running When you run snyk locally, it tests the set of packages actually deployed. The Can you try running it after |
Aha, got it! That's the same logic as retirejs, so I totally get it/agree... you might want to add that as another notch in the documentation belt, though, since I didn't see it mentioned anywhere :) I've got some decent data now, and I already added a hook to specify a custom npm-registry in pipeline for our retirejs support (which does an npm install --no-scripts before it runs in pipeline) so this should work fine. Thanks for the quick reply! |
FYI this is done, I'm just waiting to finish 1 more (big) feature for pipeline before I submit the PR/add it to codeburner proper. FWIW the Markdown details actually look pretty nice in the codeburner interface after an html conversion ;) |
Awesome - will test it out a bit later! |
Fixed in pipeline: OWASP/glue#28 Once that's merged I'll update codeburner and Snyk support will be in. |
This all finally made it in to today's release, Snyk is fully supported now. |
A bit of a shameless plug, as I work on Snyk, but I believe it fits.
Snyk works off an open source vuln DB (https://github.com/Snyk/vulndb), and includes patches (typically reduced & back-ported versions of the original fix), that make remediation very actionable.
The text was updated successfully, but these errors were encountered: