Overview
The purpose of this feature is to utilize the Snyk project to identify potential security risks/vulnerabilities.
NOTE: the FOLIO project is already using Snky, but the feeling is that it's not being used to its full potential. We can likely get more out of this tool with some effort.
What is Snyk?
From https://snyk.io/what-is-snyk/ :
Snyk (pronounced sneak) is a developer security platform for securing code, dependencies, containers, and infrastructure as code.
Our documentation about our Snyk usage: https://folio-org.atlassian.net/wiki/display/SEC/Snyk
Snyk's own documentation: https://docs.snyk.io/
Scope
- Investigate, learn, and document Snyk.
- What knobs can be adjusted to better suite our needs?
- Can snyk be leveraged for higher quality, more complete scans?
- Design and implement processes improvements for using Snyk in the FOLIO community.
- What happens when issues are identified?
- Notification/alerting mechanisms? Email? Slack? Other?
- Automatic JIRA creation?
- Automatic PR creation?
- Something else?
- Use Snyk!
|