Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate Snyk properly with python module management #3416

Closed
1 task
jbrown-xentity opened this issue Sep 8, 2021 · 2 comments
Closed
1 task

Integrate Snyk properly with python module management #3416

jbrown-xentity opened this issue Sep 8, 2021 · 2 comments
Assignees
@nickumia-reisys
Labels
CI/CD O&M Operations and maintenance tasks for the Data.gov platform Use Latest

Comments

@jbrown-xentity
Copy link
Contributor

User Story

In order to simplify python upgrades of dependencies that are at risk, data.gov sysadmin wants a snyk process that opens PR's that are reviewable and mergeable as is, without user management.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

  • GIVEN a security concern is found in a python dependency for catalog or inventory
    WHEN a PR is created to correct the dependency
    THEN the dependencies input list is updated and a lock file is created. \

Background

Should consider taking on #3415 first, as snyk integration may be easier or harder with pipenv.

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]
@mogul mogul added the O&M Operations and maintenance tasks for the Data.gov platform label Sep 9, 2021
@hkdctol hkdctol moved this to In Progress [8] in data.gov team board Aug 2, 2022
@mogul mogul moved this from In Progress [8] to Product Backlog in data.gov team board Aug 4, 2022
@hkdctol hkdctol moved this from 📔 Product Backlog to 📟 Sprint Backlog [7] in data.gov team board Nov 10, 2022
@nickumia-reisys nickumia-reisys mentioned this issue Dec 7, 2022
Merged
@nickumia-reisys nickumia-reisys self-assigned this Dec 7, 2022
@nickumia-reisys nickumia-reisys moved this from 📟 Sprint Backlog [7] to 🏗 In Progress [8] in data.gov team board Dec 7, 2022
@nickumia-reisys nickumia-reisys mentioned this issue Dec 7, 2022
Merged
@nickumia-reisys nickumia-reisys moved this from 🏗 In Progress [8] to 👀 Needs Review [2] in data.gov team board Dec 8, 2022
@nickumia-reisys nickumia-reisys mentioned this issue Dec 8, 2022
Merged
@nickumia-reisys nickumia-reisys moved this from 👀 Needs Review [2] to ✔ Done in data.gov team board Dec 8, 2022
This was referenced Dec 8, 2022
Merged
Merged
@nickumia-reisys
Copy link
Contributor

While this is not the solution we had hoped for, it is the best solution that we can come up with for now. Both catalog and inventory contain a cusotm script that runs a Snyk scan and creates a PR if there are any "fixable" vulnerabilities that exist. I turned off the "automatic PR" feature of Snyk for these two repos.

@nickumia-reisys
Copy link
Contributor

So, the solution to this was writing a custom script that analyzes the snyk scan output and updates the requirements accordingly. If there is an update, it creates a PR:

Key points:

@nickumia-reisys nickumia-reisys mentioned this issue Feb 6, 2023
Closed
@nickumia-reisys nickumia-reisys moved this from ✔ Done to 🗄 Closed in data.gov team board Oct 7, 2023
@nickumia-reisys nickumia-reisys mentioned this issue Oct 9, 2023
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nickumia-reisys nickumia-reisys

Labels
CI/CD O&M Operations and maintenance tasks for the Data.gov platform Use Latest
Projects
data.gov team board
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mogul @jbrown-xentity @nickumia-reisys