Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setup snyk for SDKs #1235

Open
duglin opened this issue Oct 10, 2023 · 3 comments
Open

Setup snyk for SDKs #1235

duglin opened this issue Oct 10, 2023 · 3 comments
Assignees
@jskeet @duglin
Labels
lifecycle/stale

Comments

@duglin
Copy link
Collaborator

duglin commented Oct 10, 2023
edited
Loading

Per old agenda AI

  • snyk for dependaBot type of checks
  • look into adding a bot that scans for security issues too
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 30 days with no
activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

@Igor8mr
Copy link

Igor8mr commented Dec 5, 2023

We have started researching possible steps for implementing Snyk on the CloudEvents SDK. I listed them below to serve as a guide to help implement it.

Initial Setup

  1. Install the Snyk CLI on a local machine according to the operating system.
  2. Run the command Snyk auth to authenticate the Snyk account. Follow the prompts to log in and authenticate.
  3. Create the CloudEvents Snyk organization in the Snyk Dashboard.
  4. In the Snyk Dashboard, go to the organization settings and add the GitHub Integration for CloudEvents account under Source Control Integrations.

Individual SDK Setup

  1. In the Snyk Dashboard, click Add Project and select the GitHub repository containing the CloudEvents SDK code.
  2. Configure Snyk Policies by defining policies for the project to set thresholds for vulnerability severity levels.
  3. Enable GitHub Integration for the CloudEvents project to receive automatic pull requests for fixing vulnerabilities, which can streamline the remediation process.
  4. Configure notification settings to alert all interested CloudEvents admins and members for new vulnerabilities or policy violations, which should include at least the maintainers of the specific SDK.
  5. Snyk should also be integrated with the CloudEvents Semantic Versioning control system, so Snyk can automatically update its vulnerability database and scan for new vulnerabilities.

Configure Snyk to perform Dependabot-style checks

  1. Go to the CloudEvents SDK project in the Snyk Dashboard.
  2. Navigate to the Settings tab.
  3. Under Policy, enable the Auto-fix option.

@Igor8mr Igor8mr mentioned this issue Dec 8, 2023
Merged
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2024

This issue is stale because it has been open for 30 days with no
activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jskeet jskeet

@duglin duglin

Labels
lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jskeet @duglin @Igor8mr