-
Notifications
You must be signed in to change notification settings - Fork 15
Snyk issue resolution
Snyk scans and reviews public repositories for free. Since data.gov makes all repositories public by default, this is a useful tool for us to make sure our systems have no security holes.
When a report comes through of a security risk on a dependency, the following approach should be used:
- Review remediation provided by Snyk, see if easily implementable
- If easy implementation/upgrade (ie < 2 hour white noise threshold), do upgrade and create PR, essentially done
- If there are no remediation steps, review ticket description and links for more detail. Looking for the answer to the following questions:
- Can we mitigate the risks (ie sanitize user input before using SQL library, etc)
- Is the risk acceptable? If so, why?
- If there are remediation steps but the upgrade is not tenable, please note along with the answers to the questions above
Once the triage is done, create ticket(s) if appropriate and/or update the .snyk file for the relevant repository with the updated issue and ignore notes. The expiration date should follow our triage guidelines: 15 days for critical, 30 days for high, 90 days for medium.
We review the Snyk Project Dashboard weekly to make sure no issues have been missed. Any errors should be triaged and mitigations documented/tickets created as necessary.
Note: The emails do not take .snyk files into consideration, so they might claim more un-triaged vulnerabilities than actually exist. The snyk dashboard is the correct source for vulnerabilities that need to be addressed.
The Snyk site has a number of useful configurations. We have setup both periodic scans and PR scans for various repositories. We don't scan our CKAN extensions, as the requirements/libraries utilized in those repositories are not shipped to staging or production: only the requirements in catalog-app (to be catalog.data.gov) and inventory-app.
All repositories should have the GitHub Integration as seen on the Projects page, except for datagov-deploy. This repository we were able to mark as open source via the configuration settings, and should not count against private tests.
The Infrastructure as Code scanning is still in beta and did not work to setup for datagov-infrastructure-live. Could be useful to setup in the future.
To integrate a new repository, simply login to Snyk.io and go to the Projects page. Click the Add Project button, and select GitHub. Search for the correct repository, and then create a new project. Nothing needs to be done on the GitHub side, everything is handled by Snyk.
There are some global settings in Snyk that may require overriding for specific repositories. All PR's are scanned, but only new issues specific to that PR are raised. This may not be the best for the added repository, so be sure to check inherited settings before finalizing setup.