/
2026-01-22 Meeting notes

2026-01-22 Meeting notes

Date

Jan 22, 2026

Attendees

Name

Present

Planned Absences

Name

Present

Planned Absences

@Craig McNally

Y

 

@Julian Ladisch 

Y

 

@Ryan Berger 

Y

 

@Chris Rutledge 

 

 

@John Coburn 

Y

 

@Kevin Day

Y

 

@Jens Heinrich

Y

 

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

1 min

https://semgrep.dev/

@Julian Ladisch

  • Peter Murray needs to delete and recreate our semgrep account to fix the user management, but that hasn’t happened yet.

Notes:

1 min

Snyk Vulnerability Stats

@Craig McNally

Notes:

  • Nothing alarming. Latest dashboard screenshots were shared in slack yesterday.

*

Anything Urgent?
Review Security board?
Review labels=security?
Issues under review?

Under Review Filter:
https://folio-org.atlassian.net/issues/?jql=project%20in%20(SECURITY)%20and%20status%20in%20(%22Under%20Review%22)%20ORDER%20BY%20created%20DESC

Snyk Cleanup Filter:

Getting issues...

Team

Previous Notes:

  • Reminder to review the “Under Review” items and approve with a thumbs up (or ask questions/raise concerns).

  • Exposing stack traces to the user.

    • @Craig McNally Craig will write a draft message and share in the security chat.

    • General advice to devs… links to OWASP, etc.

  • Snyk scans the default branch (presently Trillium). Ideally we can have snyk scan both Sunflower and Trillium (or more generically the current and previous versions)

    • Julian has a workaround which requires a temporary change of the default branch, but it needs to be coordinated with devops to avoid causing problems.

    • Another idea is to create forks (of the sunflower/previous version) of each of the repos into some other org and add them to snyk as well.

    • Keep snyk pointed at the master branch and handle this (manually) during triage. Check not only the master branch, but also the latest release.

Today:

Topic Backlog

 

 

 

 

Action items