Integrating Snyk Security Analysis Tool into Github #69
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Test Coverage Report for Build 11653010628Details
💛 - Coveralls |
Hakaabi
changed the title
This was referenced Nov 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this Pull Request I integrated the Snyk security analysis tool into our CI pipeline to automate vulnerability detection on all pull requests on our branch ‘f24’. I also modified the GitHub Actions workflow to automate the Snyk test process on every pull request.
I installed snyk tool using the command 'npm install -g snyk' and then I made these following modifications to ensure its integration:
Authentication
Using the command 'snyk auth' I navigated to 'https://app.snyk.io/account' and created an account linked to my github account and connected our repository to the Snyk account for automated vulnerability scanning.
Went to setting and added a repository secret 'SNYK_KEY' to authenticate Snyk in our GitHub Actions workflow.
Files Added
./install/.snyk
I modified the ignore file to include entries for low-risk vulnerabilities that do not impact our current usage and each vulnerability entry includes a reason for ignoring and an expiration date to revisit the assessment as dependencies evolve.
.github/workflows/snyk.yaml
I configured Snyk to run security checks on each pull request targeting the f24 branch and set the checks to flag high and critical severity vulnerabilities, using the 'npx snyk test --severity-threshold=high command'.
Files modified
I added snyk version 1.1294.0 to the development dependencies and I updated body-parser from 1.20.2 to 1.20.3 to address an Asymmetric Resource Consumption (Amplification) vulnerability and upgraded express from 4.19.2 to 4.20.0 to fix a related vulnerability.
Workflow Execution and Testing
I ran the Snyk Test GitHub Action workflow to validate the integration and ensure dependencies are scanned within the ./install directory and I manually tested the Snyk configuration locally to confirm that all vulnerability detections align with Snyk’s latest advisories.