-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POC for vulnerability scanning using snyk #101528
Comments
/area code-organization |
/assign |
/triage accepted |
snyk scan continuous job is running at 6h interval, see https://testgrid.k8s.io/sig-security-snyk-scan#ci-kubernetes-snyk-master result can be seen in each job artifacts https://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-snyk-master/1405787379716853760/artifacts/ next:
any suggestion about where the docs should reside ? |
Hey @navidshaikh Have been talking about location for docs with @dims and @tabbysable https://github.com/kubernetes/community/ under sig-security seems like a good place. I have a WIP fork for this as well. Should get something for review for you next week. Let me know what you think! |
sounds good @PushkarJ, thanks! |
Docs PR: kubernetes/community#5853 |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The docs PR is merged kubernetes/sig-security#16, completes the checklist. Thanks everyone for their contributions! /close |
@navidshaikh: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What would you like to be added:
A prow CI job to do vulnerability scanning for k/k dependencies using snyk.
Why is this needed:
ref kubernetes/community#2992
This issue is to track doing a PoC for vulnerability scanning of k/k dependencies using snyk CLI.
The proposal is to create an optional prow CI job which runs snyk scan against k/k master.
This requires:
projectId: k8s-prow
) with snyk token refn optional presubmitperiodic CI job which: populatesSNYK_TOKEN
env var using secret, install snyk CLI and run the scan Add snyk scan periodic CI job test-infra#22293Just to be clear, All this is stuff we would do BEFORE a release. We are not talking about scanning containers here, just sanity check of dependencies that we pull in.
cc: @dims @nikhita @PushkarJ @spiffxp @nikhita
The text was updated successfully, but these errors were encountered: