mjtravers
commented
6 days ago A Snyk online account has been set up for FEC to monitor the FECFile Online GitHub repositories. The management of vulnerability alerts will be handled as a weekly rotating task performed by a developer who will log into the Snyk Dashboard and perform the following tasks:
- Review the vulnerability reports for each of the FECFile Online GitHub repository.
- Write up a ticket (1 for each reported vulnerability) to remediate the vulnerability.
- Point and mark each ticket with the following tags: "security", "high priority".
- Move each new ticket into the current sprint and sprint backlog.
The weekly assignment log can be found in the Google drive 🔒 here 🔒
Safety is using 30-day old data. Snyk has a free open source tier: https://snyk.io/product/open-source-security-management/. We'll need to take the 100 tests/month limit into consideration, but we can't be 30 days behind on vulnerabilities once we're in production
From https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/3118/workflows/46a68b46-9ffc-4809-9bf1-91740531283c/jobs/9659:
Safety is using PyUp's free open-source vulnerability database. This data is 30 days old and limited.
While Snyk is free, it's only for the web app, which has to be checked manually. If we want automated tests and realtime data, we could keep the safety checks as a failsafe and add weekly review of the Snyk app to our security practices.
Alternately, we could use the Snyk webhook checks for the PR and set Github to prevent merges when the check fails. We can snooze/ignore the vulnerability in the Synk web interface and make an internal process to only snooze with a ticket link.
Business Reason
As a [role], I will be able to [blank] so that I can [business reason]
Acceptance Criteria
If [precedent] When [action] Then [result]
QA Notes
null
DEV Notes
null
Design
null
FECFILE-223