Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk has no token #98

Closed
wesley-dean-gsa opened this issue Jul 17, 2024 · 3 comments · Fixed by #101
Closed

Snyk has no token #98

wesley-dean-gsa opened this issue Jul 17, 2024 · 3 comments · Fixed by #101
Assignees
@wesley-dean-gsa
Labels
wontfix This will not be worked on
Milestone
Technical Debt

Comments

@wesley-dean-gsa
Copy link
Contributor

Snyk depends on a secret named SNYK_TOKEN

https://github.com/GSA-TTS/tts.gsa.gov/blob/main/.github/workflows/snyk-security.yml#L52

Screenshot_20240717_112656
@wesley-dean-gsa wesley-dean-gsa self-assigned this Jul 17, 2024
@wesley-dean-gsa
Copy link
Contributor Author

I put a few options in Slack:

So, we have a few options:

  1. per the TTS Handbook, create a new "organization" for the project. This is a no-cost option and I recommend it.
  2. try to get TTS to acquire (purchase) a TTS-wide Snyk license. This is likely even uglier than it sounds, so I strongly recommend against it at this time
  3. disable Snyk scanning entirely. There are other tools we have in the toolchain (e.g., Dependabot) that will manage our dependencies or just notify us of issues (e.g., Grype, a part of MegaLinter), so the inclusion of Snyk can be seen as a redundancy. Personally, I don't mind having more rigorous scanning in this area, but Snyk is a widely-adopted tool with a good reputation. On the other hand, the site, when built, is static and immutable, so even if there is an undetected / unpatched dependency, the risk associated with an exploit is extremely low.

Right now, we're just waiting on advice about how to proceed.

@wesley-dean-gsa
Copy link
Contributor Author

Chatted with @katelandisgsa and @JJediny and then sent an email along to LaKeisha Russel and @pauldoomgov soliciting their advice.

@wesley-dean-gsa
Copy link
Contributor Author

@katelandisgsa wrote:

That being said, I'm comfortable with option 3 if you are.

I am, in fact, comfortable with option 3 (disable Snyk entirely), especially given #97.

@wesley-dean-gsa wesley-dean-gsa moved this from Todo to Needs Review in TTS Website Jul 17, 2024
@wesley-dean-gsa wesley-dean-gsa added the wontfix This will not be worked on label Jul 17, 2024
@github-project-automation github-project-automation bot moved this from Needs Review to Done in TTS Website Jul 17, 2024
@wesley-dean-gsa wesley-dean-gsa moved this from Done to Needs Review in TTS Website Jul 17, 2024
@github-project-automation github-project-automation bot moved this from Needs Review to In Progress in TTS Website Jul 17, 2024
@wesley-dean-gsa wesley-dean-gsa moved this from In Progress to Needs Review in TTS Website Jul 17, 2024
@wesley-dean-gsa wesley-dean-gsa mentioned this issue Jul 17, 2024
Merged
@wesley-dean-gsa wesley-dean-gsa linked a pull request Jul 18, 2024 that will close this issue
Remove Snyk security workflow #101
Merged
@github-project-automation github-project-automation bot moved this from Needs Review to Done in TTS Website Jul 22, 2024
@wesley-dean-gsa wesley-dean-gsa added this to the Technical Debt milestone Jul 23, 2024
@wesley-dean-gsa wesley-dean-gsa mentioned this issue Jul 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wesley-dean-gsa wesley-dean-gsa

Labels
wontfix This will not be worked on
Projects
TTS Website
Archived in project
Milestone
Technical Debt
Development

Successfully merging a pull request may close this issue.

Remove Snyk security workflow GSA-TTS/tts.gsa.gov
1 participant
@wesley-dean-gsa