search

GSA-TTS / tts.gsa.gov

Making the website work for people who make websites work
https://federalist-a2423046-fe43-4e75-a2ef-2651e5e123ca.sites.pages.cloud.gov/preview/gsa-tts/tts.gsa.gov/echo-summer20203/
Other
4 stars 3 forks source link

Snyk has no token #98

Closed wesley-dean-gsa closed 1 month ago

wesley-dean-gsa commented 1 month ago

Snyk depends on a secret named SNYK_TOKEN

https://github.com/GSA-TTS/tts.gsa.gov/blob/main/.github/workflows/snyk-security.yml#L52

Screenshot_20240717_112656

wesley-dean-gsa commented 1 month ago

I put a few options in Slack:

So, we have a few options:

  1. per the TTS Handbook, create a new "organization" for the project. This is a no-cost option and I recommend it.
  2. try to get TTS to acquire (purchase) a TTS-wide Snyk license. This is likely even uglier than it sounds, so I strongly recommend against it at this time
  3. disable Snyk scanning entirely. There are other tools we have in the toolchain (e.g., Dependabot) that will manage our dependencies or just notify us of issues (e.g., Grype, a part of MegaLinter), so the inclusion of Snyk can be seen as a redundancy. Personally, I don't mind having more rigorous scanning in this area, but Snyk is a widely-adopted tool with a good reputation. On the other hand, the site, when built, is static and immutable, so even if there is an undetected / unpatched dependency, the risk associated with an exploit is extremely low.

Right now, we're just waiting on advice about how to proceed.

wesley-dean-gsa commented 1 month ago

Chatted with @katelandisgsa and @JJediny and then sent an email along to LaKeisha Russel and @pauldoomgov soliciting their advice.

wesley-dean-gsa commented 1 month ago

@katelandisgsa wrote:

That being said, I'm comfortable with option 3 if you are.

I am, in fact, comfortable with option 3 (disable Snyk entirely), especially given #97.