leoluz
commented
2 years ago Snyk provides their own Github actions that seems to integrate well with Github Code Scanning UI:
I think this is a good candidate to have Snyk better integrated in ArgoCD CI
Open crenshaw-dev opened 2 years ago
leoluz
commented
2 years ago Snyk provides their own Github actions that seems to integrate well with Github Code Scanning UI:
I think this is a good candidate to have Snyk better integrated in ArgoCD CI
crenshaw-dev
commented
2 years ago Good point. The main considerations for those built in actions are: 1) Can they produce reports which could be added as release assets? 2) Would running multiple actions be as fast as running a single container with multiple CLI calls?
If the answer to either of those is yes, then there's a question for the single-container implementer: can the CLI calls still be made to produce sarif files for GitHub to consume?
OmerKahani
commented
2 years ago Hi,
Omer here from Snyk. I would want to peak this up :)
Has there been any progress since March?
crenshaw-dev
commented
2 years ago Hey, @OmerKahani, would love to have some help!
There's been a bit of progress. I added a GitHub workflow to write Snyk scans and summaries to the docs: https://github.com/argoproj/argo-cd/pull/9856
It runs weekly to avoid using up the private scan limit and to avoid pushing too many commits to master.
Unfortunately, the scan failed this weekend. I still haven't had a chance to look into it: https://github.com/argoproj/argo-cd/actions/workflows/update-snyk.yaml
Ideally I'd still love to bundle scan reports with releases. But for now I've been focusing on the new docs page. :-)
OmerKahani
commented
2 years ago @crenshaw-dev can you please add me to the Snyk org, so I can debug the script locally?
Summary
I think new Snyk scans/reports should be added to the CI. This is a top-level ticket to cover the several types of reports I think should be added.
Motivation
The Snyk check that is currently in the Argo CD CI has two shortcomings: 1) It checks only for new issues, rather than setting a threshold (we want a threshold of "no 'High' severity issues") 2) It does not generate a report
The Snyk UI is also not sufficient. It requires a lot of manual intervention, such as: 1) Manually adding new images for each patch release across the currently-supported minor versions 2) Manually deleting old images 3) Manually adding "ignore" rules for irrelevant vulnerabilities where the reasons for ignoring are not 1) versioned, 2) visible to anyone who does not have UI access or does not want to fuss with it
Proposal
Snyk scans require a Snyk token (stored in GitHub secrets). That secret is not populated for pull requests. So these scans should run for pushes to master. They should also run on pushes to the release-* branches.
snyk test- https://github.com/argoproj/argo-cd/issues/8653snyk code test- https://github.com/argoproj/argo-cd/issues/8654snyk container test- https://github.com/argoproj/argo-cd/issues/8655snyk iac test- https://github.com/argoproj/argo-cd/issues/8656On each release, a scan report should be generated for each scan supported by snyk-to-html, and it should be added to the release assets. For scans not supported by snyk-to-html, we should consider uploading the raw JSON as a release asset.
A .snyk file should be added to the repo root to keep track of "ignore rules" for irrelevant vulnerabilities. The ignore rules contain a text field where maintainers should write justifications for ignoring each high-severity vulnerability.
These checks should run nightly for the three most recent release-* branches. That will help us catch issues with the currently-maintained releases early and avoid extra work when we need to cut a patch release.