Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Snyk to CircleCI pipeline #565

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Snyk to CircleCI pipeline #565

wants to merge 3 commits into from

Conversation

megg-pd
Copy link

@megg-pd megg-pd commented Dec 3, 2024
edited
Loading

Context

This PR will enable Snyk Open Source scans in CircleCI.

Changes Include:

  1. Updating the CircleCI config.yml to add the Snyk orb, and adding a job to run that scan

Engineering Team Code Owners Should Test, Validate, and Merge

Please update as needed and merge these PRs when you feel comfortable to do so.
We are asking the teams that own each repository to carefully test and merge these changes so they can monitor for any resulting issues, as they are more familiar with the code and deploy process.

Checklist for Team Code Owners

  • Ensure that all builds are successful.
  • Check review for any comments/addendums from Security Engineer that might need to be manually addressed.
  • Approve and MERGE the PR when ready!

Checklist for Security Engineer

  • The Snyk WebUI has been reviewed to ensure the repo is showing up as expected
  • The Snyk scan completes successfully

megg-pd
megg-pd commented Dec 4, 2024
View reviewed changes
.circleci/config.yml
@@ -1,8 +1,9 @@
# Java Gradle CircleCI 2.0 configuration file
#
# Check https://circleci.com/docs/2.0/language-java/ for more details
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This link wasn't accurate anymore. Version 2.1 came out 6yrs ago.

gschueler
gschueler reviewed Dec 11, 2024
View reviewed changes
.circleci/config.yml Outdated
steps:
- checkout
- setup_remote_docker
- git/rebase_on_main
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, do we need to rebase on main? I see the PD git orb states its purpose is to prevent "unwanted merge checks from overwriting existing deployed code", but I don't think that applies here

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably could. This was in the original template that SRE-Delivery worked with me on, but it's possible it's not relevant here. I'll take that out in the next iteration.

@gschueler gschueler mentioned this pull request Dec 12, 2024
Merged
@megg-pd
Copy link
Author

megg-pd commented Dec 13, 2024

I have some other possible changes coming for the Snyk scan, so I'm just holding any more work on this PR until I've confirmed those changes.

@gschueler
Copy link
Member

@megg-pd thanks, I'm doing some other changes to fix issues with the other actions

@gschueler
Copy link
Member

gschueler commented Dec 19, 2024
edited
Loading

@megg-pd will there be other changes to this PR?

@megg-pd megg-pd closed this Dec 19, 2024
@megg-pd megg-pd reopened this Dec 19, 2024
@megg-pd
Copy link
Author

megg-pd commented Dec 19, 2024

@gschueler Apologies, this is ready to go now. The main change was changing the failure threshold to "high". We were looking into making another change where it only fails when there's an upgrade path for vulnerable dependencies, however this would then make snyk hide the license policy violation failures, so we couldn't implement that tweak.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gschueler gschueler gschueler left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@megg-pd @gschueler