Using snyk for package vulnerability verification

Tirloni, Giovanni gtirloni at
Thu Apr 6 12:47:33 UTC 2017


  There was a discussion in the GPII Architecture mailing list that started in Oct 2015 when was released and I believe it would beneficial to adopt it for Fluid repositories.

  Here are the relevant threads:

  And here's more information about Snyk:

  I took the liberty of creating a "Fluid Project" organization in Snyk and invited the Fluid Project's GitHub administrators to it (as I don't have permission to add repositories).

  Enabling Snyk for a repository means:

    * A WebHook will get added to notify of new PR and commits
    * A notification will be added to new PRs to identify if they introduce security vulnerabilities (within snyk's scope)
    * The repository will be constantly monitored for new vulnerability

  To clarify, Snyk is not a static code analyzer. It simply inspects dependencies that have known vulnerabilities.

  If there is consensus on adopting this tool, I would like to request that someone with admin privileges to the Fluid Project in GitHub to access and add the repositories.


-------- Forwarded Message --------
Subject: 	Re: [Architecture] snyk node package vulnerability checker now live!
Date: 	04/06/2017 04:50 AM
From: 	Tony Atkins <tony at>
To: 	Tirloni, Giovanni <gtirloni at>
CC: 	architecture at Architecture <architecture at>

Hi, Giovanni.

Personally I would be happy to have this for every repo and PR.  Even though many of us regularly run "npm outdated" (or "yarn outdated") and test our work with newer libraries, having a report on known bad versions gives us a consistent "trailing edge". By that I mean that if we haven't managed to otherwise update our dependencies when snyk identifies a problem, we have a good reason to take a moment and review.

Anyway, +1 from me.



On Wed, Apr 5, 2017 at 6:20 PM, Tirloni, Giovanni <gtirloni at <mailto:gtirloni at>> wrote:

     Snyk can monitor repositories and test new PRs for vulnerable packages.

     Is there interest in having this tool automatically monitoring our repositories? It's free for open source project.

     On 10/29/2015 02:29 PM, Steve Lee wrote:
      > Steve Lee
      > OpenDirective
      > _______________________________________________
      > Architecture mailing list
      > Architecture at <mailto:Architecture at>
      > <>
     Architecture mailing list
     Architecture at <mailto:Architecture at> <>

More information about the fluid-work mailing list