Migrate away from Snyk - Githubissues

18F / tock

We use Tock to track and report our time at 18F

https://18f.gsa.gov/2015/05/21/TockingTime/

Other

121 stars 37 forks source link

Migrate away from Snyk #950

Closed Jkrzy closed 4 years ago

Jkrzy commented 4 years ago

We're currently using both Github Security and Snyk to monitor dependencies. Reports have been comparable.

In an effort to consolidate our Dependency Analysis tooling, let's move entirely to Github Security as our sole provider of Dependency analysis/scanning.

We'll know we're done when

[ ] Snyk integration has been removed
[ ] Snyk account has been deactivated: https://app.snyk.io/org/gsa-18f-tock
[ ] Documentation has been updated
[ ] Compliance documentation (SSP) has been reviewed and updated if necessary

tbaxter-18f commented 4 years ago

Does this have any ATO implications? Do we need to chat with Susan Frederick first?

Jkrzy commented 4 years ago

So long as we're still implementing RA-5: vulnerability scanning -- and we are -- we should be ok.

I also updated the last checklist item there to specifically include a review of the SSP to make sure our control narratives are up-to-date.

cryptofilegsa commented 4 years ago

We should confirm that GitHub security covers everything that snyk does before removing. I would assume that these tools complement one another given that github integrates both.

cryptofilegsa commented 4 years ago

Vytas Fidleris of snyk submits the following:

"Snyk works across the entire SDLC (CLI -> production), not just in the git repo, as well as being able to support multiple Gits at once. Even if you only plan on working on security within Github, Snyk provides license compliance support, deeper reporting and vulnerability prioritization and a more extensive vulnerability database (only 1/3 of the database is publicly available knowledge). The dependency tree that Snyk builds out is extensive and lists ALL transitive dependencies (where ~78% vulnerabilities lie), while providing automated remediation for the vulnerabilities. Github's security capabilities are great for individual developers, Snyk is built out more as a tool to be used by organizations."

tbaxter-18f commented 4 years ago

I'm moving this back into to-do.

Jkrzy commented 4 years ago

As an immediate step, I've removed the stalled Snyk checks from the required steps before merging into master

Jkrzy commented 4 years ago

Sticking with snyk per: https://github.com/18F/tts-tech-portfolio/issues/403