Setup snyk for SDKs

[duglin]

Per old agenda AI

• snyk for dependaBot type of checks
• look into adding a bot that scans for security issues too

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

[Igor8mr]

We have started researching possible steps for implementing Snyk on the CloudEvents SDK. I listed them below to serve as a guide to help implement it.

Initial Setup

1. Install the Snyk CLI on a local machine according to the operating system.
2. Run the command Snyk auth to authenticate the Snyk account. Follow the prompts to log in and authenticate.
3. Create the CloudEvents Snyk organization in the Snyk Dashboard.
4. In the Snyk Dashboard, go to the organization settings and add the GitHub Integration for CloudEvents account under Source Control Integrations.

Individual SDK Setup

1. In the Snyk Dashboard, click Add Project and select the GitHub repository containing the CloudEvents SDK code.
2. Configure Snyk Policies by defining policies for the project to set thresholds for vulnerability severity levels.
   • This helps to control when to fail a build or raise an alert.
   • The Security Audit performed by Trail of Bits could be used as a guide on which types and severities of vulnerabilities should be analyzed.
3. Enable GitHub Integration for the CloudEvents project to receive automatic pull requests for fixing vulnerabilities, which can streamline the remediation process.
4. Configure notification settings to alert all interested CloudEvents admins and members for new vulnerabilities or policy violations, which should include at least the maintainers of the specific SDK.
5. Snyk should also be integrated with the CloudEvents Semantic Versioning control system, so Snyk can automatically update its vulnerability database and scan for new vulnerabilities.

Configure Snyk to perform Dependabot-style checks

1. Go to the CloudEvents SDK project in the Snyk Dashboard.
2. Navigate to the Settings tab.
3. Under Policy, enable the Auto-fix option.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.