Using snyk for package vulnerability verification
Tirloni, Giovanni
gtirloni at ocadu.ca
Wed Apr 12 15:47:15 UTC 2017
Hello,
By lazy consensus rules, there have been no objections to adopting this tool.
Unfortunately I don't have admin privileges to the fluid-project organization to add the repositories to Snyk myself. Anyone with those privileges, please feel free to login to Snyk, select the 'Fluid Project' organization in the top dropdown, click on 'Add my GitHub repositories to Snyk' and then select the ones from the 'fluid-project' GitHub organization.
Thank you,
Giovanni
On 04/06/2017 09:48 AM, Tirloni, Giovanni wrote:
> Hello,
>
> There was a discussion in the GPII Architecture mailing list that started in Oct 2015 when snyk.io was released and I believe it would beneficial to adopt it for Fluid repositories.
>
> Here are the relevant threads:
>
> http://lists.gpii.net/pipermail/architecture/2015-November/thread.html
> http://lists.gpii.net/pipermail/architecture/2017-April/thread.html
>
> And here's more information about Snyk:
>
> https://snyk.io/docs/faqs/
> https://snyk.io/plans
>
> I took the liberty of creating a "Fluid Project" organization in Snyk and invited the Fluid Project's GitHub administrators to it (as I don't have permission to add repositories).
>
> Enabling Snyk for a repository means:
>
> * A WebHook will get added to notify snyk.io of new PR and commits
> * A notification will be added to new PRs to identify if they introduce security vulnerabilities (within snyk's scope)
> * The repository will be constantly monitored for new vulnerability
>
> To clarify, Snyk is not a static code analyzer. It simply inspects dependencies that have known vulnerabilities.
>
> If there is consensus on adopting this tool, I would like to request that someone with admin privileges to the Fluid Project in GitHub to access Snyk.io and add the repositories.
>
> Regards,
> Giovanni
>
>
> -------- Forwarded Message --------
> Subject: Re: [Architecture] snyk node package vulnerability checker now live!
> Date: 04/06/2017 04:50 AM
> From: Tony Atkins <tony at raisingthefloor.org>
> To: Tirloni, Giovanni <gtirloni at ocadu.ca>
> CC: architecture at lists.gpii.net Architecture <architecture at lists.gpii.net>
>
>
>
> Hi, Giovanni.
>
> Personally I would be happy to have this for every repo and PR. Even though many of us regularly run "npm outdated" (or "yarn outdated") and test our work with newer libraries, having a report on known bad versions gives us a consistent "trailing edge". By that I mean that if we haven't managed to otherwise update our dependencies when snyk identifies a problem, we have a good reason to take a moment and review.
>
> Anyway, +1 from me.
>
> Cheers,
>
>
> Tony
>
> On Wed, Apr 5, 2017 at 6:20 PM, Tirloni, Giovanni <gtirloni at ocadu.ca <mailto:gtirloni at ocadu.ca>> wrote:
>
> Snyk can monitor repositories and test new PRs for vulnerable packages.
>
> Is there interest in having this tool automatically monitoring our repositories? It's free for open source project.
>
> https://snyk.io/docs/github
>
> On 10/29/2015 02:29 PM, Steve Lee wrote:
> > https://snyk.io/
> >
> > Steve Lee
> > OpenDirective http://opendirective.com
> > _______________________________________________
> > Architecture mailing list
> > Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
> > http://lists.gpii.net/mailman/listinfo/architecture <http://lists.gpii.net/mailman/listinfo/architecture>
> >
> >
> _______________________________________________
> Architecture mailing list
> Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
> http://lists.gpii.net/mailman/listinfo/architecture <http://lists.gpii.net/mailman/listinfo/architecture>
>
>
> _______________________________________________________
> fluid-work mailing list - fluid-work at lists.idrc.ocad.ca
> To unsubscribe, change settings or access archives,
> see http://lists.idrc.ocad.ca/mailman/listinfo/fluid-work
>
More information about the fluid-work
mailing list