jason-upchurch
commented
4 years ago Closing issue. Per team discussion:
we decided against it because it may block our work unnecessarily. Especially since we like to control what security issues get flagged in security log review rather than having a bot do it for us
cc @patphongs
Summary
Snyk offers CircleCI integration for testing dependencies at build time with: https://circleci.com/orbs/registry/orb/snyk/snyk
Snyk also offers the ability to test when a PR is submitted: https://snyk.io/docs/github/
These two approaches should be reviewed to see if there is an opportunity to streamline log review and standardize vulnerability testing or otherwise simplify workflow.
It may also be the case that these tools offer no appreciable benefit, so a brief review may be helpful in providing evidence in either case.
Completion criteria