Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(snyk support): Changes to use Snyk for dependencies, licenses, and code analysis #257

Merged
merged 6 commits into from
Dec 12, 2023

Conversation

mdial89f
Copy link
Contributor

@mdial89f mdial89f commented Dec 12, 2023

Purpose

This is a changeset that accommodates Snyk automatic PR deployment and removes OBE workflows.

Linked Issues to Close

None

Approach

Snyk is a comprehensive security tool that scans and fixes vulnerabilities in open-source code, containers, and configurations. It can open pull requests to keep dependencies up to date, fix vulernable packages, check Pull Requests for new issues, check for license issues, and perform static code analysis. Macpro recently onboarded to an enterprise Snyk installation, this repo included. The configuration of PR checks and dependency update configuration is controlled in that instance, and not addressed here.

However, one behavior of Snyk is problematic for us. The branch names used when Snyk opens a PR are very long. This causes deployment failures due to some amazon resources having name length limits; we were going over them by double digits.

To correct the name length limit, the setting of our stage name in our workflows has been modified: if the branch name starts with "snyk-", then the stage name will be set to just "snyk". This way, deploy/destroy can occur for snyk generated branches. We are still using environment locking based on stage name, so only one operation against the 'snyk' stage will occur at any given time. However, because Snyk is configured to only have open one PR at a time, this shouldn't need to be relied upon.

Other things in this PR:

  • Removed the Dependency Update workflow: this was a workflow to update all node deps in one commit, to reduce PR count and burden. It was largely unused, and ended up being not very user friendly, as the workflow could not open the PR on its own or trigger a deployment, for security reasons.
  • Removed the Dependency Review workflow: this is now covered by a Snyk PR check which performs the same review.
  • Removed CodeQL: this is covered by the Snyk Code Analysis check. I don't believe the checks are identical, but CodeQL and Snyk Code Analysis are analogous tools, and Snyk appears to flag more issues. Further, since our reporting will come from Snyk, we should use it as our source of truth in the matter.
  • Badge was updated in the README to reflect Synk usage in place of Dependabot

Assorted Notes/Considerations/Learning

If this goes into master and works out, our other repos could use this change as they suffer the same branch name issue and contain some of the same OBE workflows.

@mdial89f mdial89f merged commit e7573f9 into master Dec 12, 2023
12 checks passed
@mdial89f mdial89f deleted the fixsnyk branch December 12, 2023 19:00
Copy link
Contributor

🎉 This PR is included in version 1.5.0-val.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants