search

fecgov / openFEC

The first RESTful API for the Federal Election Commission. We're aiming to make campaign finance more accessible for journalists, academics, developers, and other transparency seekers.
https://api.open.fec.gov/developers
Other
476 stars 105 forks source link

[ATO] Research and implement new vulnerability tracking tool #2996

Closed patphongs closed 6 years ago

patphongs commented 6 years ago

Gemnasium will be shutdown on May 15th. We need to use another tool. This tool, Snyk, was suggested by @LindsayYoung https://snyk.io/. We want to test out a new vulnerability tracking tool before Gemnasium expires. We can hook up both Gemnasium and Snyk at the same time to test it out and when we are ready, we can remove Gemnasium.

CMS first as a test.

Completion Criteria:

patphongs commented 6 years ago

I am currently on step 1, which is to check with security to make sure this tool is approved for use. This requires us to assess the product through our fedramp low tailored approach. I'll pair with @JayRibeiro more to see what is fully needed with this. Until we get approval to use this, we'll have to hold off on any further implementation.

patphongs commented 6 years ago

@JayRibeiro Has given us the green light to test out SNYK. This is no longer blocked and can move forward

patphongs commented 6 years ago

I have implemented this tool on 4 of our github code repos:

Initial findings have been very positive. Documentation for the tool is clean and simple to use. Documentation can be found here: https://snyk.io/docs/using-snyk/#wizard

Positive findings:

patphongs commented 6 years ago

All the items here are complete and will be shared during sprint demo on Monday. Will close this ticket after demo on Monday.

patphongs commented 6 years ago

Closing this ticket now. We have a separate issue where we will check the logs to fully test in sprint 5.5 to compare the snyk vs gemnasium alerts.