Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-6985 Add Snyk Scans in CircleCI (NPM) #7

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

SEC-6985 Add Snyk Scans in CircleCI (NPM) #7

wants to merge 1 commit into from

Conversation

pd-snyk-integration
Copy link

SEC-6985 Add Snyk Scans in CircleCI (NPM)

Context

This PR will enable Snyk SCA scans in CircleCI.

Important! These scans will be a full repository scan and is in addition to the existing Snyk PR Checks via the Github integration. The expectation is NOT that Engineers will resolve all of the findings from the full scan. They are designed to increase awareness that there are findings in the repo as a whole. See Service Owners' Guide | Integration Points | CircleCI for a full explanation.

For more information on these, see our pages on Confluence:
Service Owners' Guide | Integration Points
FAQ | Github & CircleCI / BuildKite Snyk Integrations

Changes Include:

  1. Updating the CircleCI config.yml to add the PagerDuty Snyk orb, and adding the Job to run that scan

Outside of Scope

  • Only Snyk SCA are being implemented in pipelines. These scan package manager files for vulnerable dependencies. Snyk Code (SAST) scans will not be implemented in pipelines. Those will remain only implemented via the Github integration.

Engineering Team Code Owners Should Test, Validate, and Merge

Please update as needed and merge these PRs when you feel comfortable to do so.
We are asking the teams that own each repository to carefully test and merge these changes so they can monitor for any resulting issues, as they are more familiar with the code and deploy process.

Note: If this project is a library which you may back port changes to including the Snyk scan, please advise so an additional parameter can be added

Checklist for Team Code Owners

  • Ensure that all builds are successful.
  • Check review for any comments/addendums from Product Security that might need to be manually addressed.
  • Approve and MERGE the PR when ready!

Checklist for Product Security

Snyk WebUI

  • The Snyk WebUI has been reviewed to ensure the repo is now showing up as expected
  • There are no duplicate findings in the WebUI (ex: there's already a Github integration for non-Elixir dependencies)

CircleCI

  • Ensure all builds still complete
  • The Snyk scan is not failing due to an error with the scan
  • The Snyk scan is either passing or failing due to vulnerabilities
  • The Snyk scan is detecting the expected package manager files (based on reviewing what's in the repo)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@megg-pd megg-pd

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pd-snyk-integration @megg-pd