I've been getting quite a few emails from Snyk. Apparently their free service is capped at 200 container scans per month. This isn't listed anywhere on their website, and doesn't make much sense either as we're the ones that have to provision the hardware to run the scans, they just store the results (and even then, GHA already does that for us). I'm not sure how close we are to the limit, but one of the following solutions would help make sure we don't hit that limit.
HIPAA regulations do not specify a minimum interval of code/IaC/container scanning, but generally speaking all code needs to be scanned before being deployed to production, and should be done on a small enough interval where the scans accurately reflect the state of current container code relative to an up-to-date CVE/CVSS listing.
Implementation
Modify the GHA pipeline to only run Snyk scans on pull requests, and not pushes.
OR
Modify the Snyk job to run periodically (every 24 hours) on the main branch.
Summary
I've been getting quite a few emails from Snyk. Apparently their free service is capped at 200 container scans per month. This isn't listed anywhere on their website, and doesn't make much sense either as we're the ones that have to provision the hardware to run the scans, they just store the results (and even then, GHA already does that for us). I'm not sure how close we are to the limit, but one of the following solutions would help make sure we don't hit that limit.
HIPAA regulations do not specify a minimum interval of code/IaC/container scanning, but generally speaking all code needs to be scanned before being deployed to production, and should be done on a small enough interval where the scans accurately reflect the state of current container code relative to an up-to-date CVE/CVSS listing.
Implementation
mainbranch.