Alternative to snyk-delta, being it in maintenance

[radekjezdik]

Hello,

I just want to ask, what is the future of this project as it is in maintenance mode. Is it being reworked into snyk CLI directly? Is it useable in production, or the idea is abandoned? Is there an alternative?

My question points more toward how would one use snyk to find new vulnerabilities introduced in a PR branch compared to the master branch. As I think, this is almost every time the right thing to do and almost a standard, I'm curious what is the recommended way of achieving this if not using this project?

Thank you.

[SS-SamiAhonen]

Hi, I have a same question than radekjezdik. I would like to setup GitHub actions to perform delta-check at PR branch to main branch which snyk is configured to listening (use case here: when developer introduces new vulnerabilities to docker images those should be checked at PR phase just like open-source and code checks are made). Earlier tested this last year and delta check would not work.

From CI perspective project specific id to compare is quite hard because then we need manual maintenance for project id's, baseline-org id is ok at my case. But if someone could open up how snyk performs delta-check (more detailed explanation)

[aarlaud]

Hi, being the main contributor here, I can give you a few answers and technical details how this tool works. For the in depth explanation, rather than detailing this in a thread here, I'm going to put together a markdown page explaining all the details. I'll try to put something out by end of month.

As far as the future of this project, I can tell you the following:

• The current version of this project will remain maintained in its current state as long as it is needed.
• This is an open source project and as such, contributions are welcome. While I'm an employee of Snyk, it is by no means restricting contributors to be Snyk employees only.
• I'm inquiring with the Snyk product team to communicate plans around such capabilities, so more formal communication about this from Snyk is to come.

From a capability perspective:

• Snyk capabilities are continuously added to the platform. Some of them are not compatible with the way this tool works for various reasons. I'll touch on that in the technical explanation.
• Some shortcomings are tied to availability over the API of certain endpoints or results. As Snyk is investing heavily in API support in general, some of the missing supporting blocks might get added and open the door to additional capabilities being added to snyk-delta.

I hope it helps somewhat.

[aarlaud]

Added some more details => https://github.com/snyk-tech-services/snyk-delta/blob/develop/docs/NOTES.md