Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add snyk scan workflow #1223

Merged
merged 1 commit into from
Sep 8, 2023
Merged

Add snyk scan workflow #1223

merged 1 commit into from
Sep 8, 2023

Conversation

hansatgoogle
Copy link
Collaborator

Add workflow to run snyk scan following Snyk documentation: https://docs.snyk.io/integrations/snyk-ci-cd-integrations/github-actions-integration/snyk-golang-action.

This workflow can be run manually and will automatically run once a week Sunday night. For now, this is just configured to run snyk test - https://docs.snyk.io/snyk-cli/commands/test. This will scan the repo for vulnerability and license issues and the cli will exit with 1 if any are found.

An example run is here: https://github.com/hansatgoogle/registry/actions/runs/6123960183/job/16622986936. As you can see, this currently finds an issue with a MPL-2.0 license. I don't think that's a concern for us as we aren't likely to modify that library. To get this scan to pass, we could create a custom license policy in snyk (https://docs.snyk.io/manage-risk/policies/license-policies) or remove the dependency if it's not needed.

I've already added SNYK_TOKEN as a repository secret, so the action should work once merged.

@codecov
Copy link

codecov bot commented Sep 8, 2023

Codecov Report

Merging #1223 (24091a4) into main (82fd89e) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1223   +/-   ##
=======================================
  Coverage   71.96%   71.96%           
=======================================
  Files         146      146           
  Lines       12241    12241           
=======================================
  Hits         8809     8809           
  Misses       2749     2749           
  Partials      683      683

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

📢 Have feedback on the report? Share it here.

timburks
timburks approved these changes Sep 8, 2023
View reviewed changes
Copy link
Contributor

@timburks timburks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I think we'll probably leave it to the upstream library to consider removing this dependency. If it seems there's no interest in that, I think we would want to add the exception that you suggested.

@hansatgoogle
Copy link
Collaborator Author

It looks like we could also have a custom policy defined in this repo following https://docs.snyk.io/manage-risk/policies/the-.snyk-file#ignoring-the-license-with-the-cli.

I'll merge this and then we can discuss how to proceed.

@hansatgoogle hansatgoogle merged commit 76ddac3 into apigee:main Sep 8, 2023
10 checks passed
@hansatgoogle hansatgoogle deleted the add-snyk-action-2 branch September 8, 2023 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timburks timburks timburks approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Apigee API Registry
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hansatgoogle @timburks