Run Snyk scans

[ben-harvey]

Purpose

Insecure 3rd party dependencies are one of the top security risks for serverless functions. Open source vulnerability scans can help developers mitigate these risks by updating dependencies to a secure version.

GitHub's Dependabot feature creates alerts and fixes for insecure dependencies. So why use Snyk instead of Dependabot?

• CMS provides hosted Snyk as a service to all ADOs
• Snyk allows the aggregation of vulnerabilities across repos, while Dependabot is scoped at the repo level

• The SAF/MITRE team is providing active support for converting Snyk findings to AWS Security Hub Finding Format, which allows importing the findings into Security Hub (a separate change will address an automated import mechanism for QuickStart). Centralizing findings in Security Hub strongly encouraged by CMS for several reasons:

  • CMS already requires ADOs to use Security Hub for native AWS findings
  • Using Security Hub is a prerequisite for receiving Ongoing Authorization

  Linked Issues to Close

N/A

Approach

This change runs Snyk as a GitHub Action in two ways:

• Snyk Test
  • this command is run on pushes to the master branch, and also with a daily cron job. It scans the master branch and uploads the results to the GitHub 'Code Scanning alerts' UI.
  • the goal is to provide developers with vulnerability information for the master branch, which will then be promoted to val/prod
  • eventually this output will be converted and imported to Security Hub
• Snyk Monitor
  • this command is run on pushes to any branch (including master). It uploads a snapshot of the branch's current dependencies and vulnerabilities to the CMS-hosted Snyk dashboard, grouped by branch name as Snyk Projects. Alerts are only generated for the most recent snapshots. When the branch is deleted, the corresponding Snyk Projects are also cleaned up via the destroy script

It also adds documentation on how to set up a CMS Snyk Organization and configure the GitHub secrets that the workflows depend on.

Learning

I read extensively in the GitHub Actions docs and Snyk docs.

• Snyk GitHub Actions
• cloud.cms.gov Snyk documentation

Assorted Notes/Considerations

Testing:

• I ran the deploy and destroy workflows multiple times to test the creation and deletion of Snyk Projects for a branch
• I confirmed that Snyk sarif is uploaded to the GitHub Code Scanning UI
• I went through the process of creating a Snyk Organization and configuring GitHub secrets to test the README steps

Pull Request Creator Checklist

• [ ] This PR has an associated issue or issues.
• [ ] The associated issue(s) are linked above.
• [ ] This PR meets all acceptance criteria for those issues.
• [ ] This PR and linked issue(s) are adequately documented
• [ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.
• [ ] Someone has been assigned this PR.
• [ ] At least one person has been marked as reviewer on this PR.

Pull Request Reviewer/Assignee Checklist

• [ ] This PR has an associated issue or issues.
• [ ] The associated issue(s) are linked above.
• [ ] This PR meets all acceptance criteria for those issues.
• [ ] This PR and linked issue(s) are adequately documented
• [ ] This PR and linked issues(s) are a complete description of the changeset; an individual or team should be able to understand the issue(s) and changes by reading through this PR and it's links, with no further interaction.

[ben-harvey]

MACPro devs prefer to use the existing integration with Dependabot, which provides a lot of the same functionality as Snyk and has the advantage of not adding another dependency.

There's some future work to import Dependabot findings to Security Hub, which will be captured in a separate PR.