Closed ben-harvey closed 2 years ago
MACPro devs prefer to use the existing integration with Dependabot, which provides a lot of the same functionality as Snyk and has the advantage of not adding another dependency.
There's some future work to import Dependabot findings to Security Hub, which will be captured in a separate PR.
Purpose
Insecure 3rd party dependencies are one of the top security risks for serverless functions. Open source vulnerability scans can help developers mitigate these risks by updating dependencies to a secure version.
GitHub's Dependabot feature creates alerts and fixes for insecure dependencies. So why use Snyk instead of Dependabot?
The SAF/MITRE team is providing active support for converting Snyk findings to AWS Security Hub Finding Format, which allows importing the findings into Security Hub (a separate change will address an automated import mechanism for QuickStart). Centralizing findings in Security Hub strongly encouraged by CMS for several reasons:
Linked Issues to Close
N/A
Approach
This change runs Snyk as a GitHub Action in two ways:
master
branch, and also with a daily cron job. It scans themaster
branch and uploads the results to the GitHub 'Code Scanning alerts' UI.master
). It uploads a snapshot of the branch's current dependencies and vulnerabilities to the CMS-hosted Snyk dashboard, grouped by branch name as Snyk Projects. Alerts are only generated for the most recent snapshots. When the branch is deleted, the corresponding Snyk Projects are also cleaned up via thedestroy
scriptIt also adds documentation on how to set up a CMS Snyk Organization and configure the GitHub secrets that the workflows depend on.
Learning
I read extensively in the GitHub Actions docs and Snyk docs.
Assorted Notes/Considerations
Testing:
deploy
anddestroy
workflows multiple times to test the creation and deletion of Snyk Projects for a branchPull Request Creator Checklist
Pull Request Reviewer/Assignee Checklist