Skip to content
This repository was archived by the owner on Jul 28, 2025. It is now read-only.

SEC-6985 Add Snyk Scans in CircleCI (NPM) #7

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

SEC-6985 Add Snyk Scans in CircleCI (NPM) #7

wants to merge 1 commit into from

Conversation

@pd-snyk-integration
Copy link

@pd-snyk-integration pd-snyk-integration commented Jul 26, 2024

SEC-6985 Add Snyk Scans in CircleCI (NPM)

Context

This PR will enable Snyk SCA scans in CircleCI.

Important! These scans will be a full repository scan and is in addition to the existing Snyk PR Checks via the Github integration. The expectation is NOT that Engineers will resolve all of the findings from the full scan. They are designed to increase awareness that there are findings in the repo as a whole. See Service Owners' Guide | Integration Points | CircleCI for a full explanation.

For more information on these, see our pages on Confluence:
Service Owners' Guide | Integration Points
FAQ | Github & CircleCI / BuildKite Snyk Integrations

Changes Include:

  1. Updating the CircleCI config.yml to add the PagerDuty Snyk orb, and adding the Job to run that scan

Outside of Scope

  • Only Snyk SCA are being implemented in pipelines. These scan package manager files for vulnerable dependencies. Snyk Code (SAST) scans will not be implemented in pipelines. Those will remain only implemented via the Github integration.

Engineering Team Code Owners Should Test, Validate, and Merge

Please update as needed and merge these PRs when you feel comfortable to do so.
We are asking the teams that own each repository to carefully test and merge these changes so they can monitor for any resulting issues, as they are more familiar with the code and deploy process.

Note: If this project is a library which you may back port changes to including the Snyk scan, please advise so an additional parameter can be added

Checklist for Team Code Owners

  • Ensure that all builds are successful.
  • Check review for any comments/addendums from Product Security that might need to be manually addressed.
  • Approve and MERGE the PR when ready!

Checklist for Product Security

Snyk WebUI

  • The Snyk WebUI has been reviewed to ensure the repo is now showing up as expected
  • There are no duplicate findings in the WebUI (ex: there's already a Github integration for non-Elixir dependencies)

CircleCI

  • Ensure all builds still complete
  • The Snyk scan is not failing due to an error with the scan
  • The Snyk scan is either passing or failing due to vulnerabilities
  • The Snyk scan is detecting the expected package manager files (based on reviewing what's in the repo)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@megg-pd megg-pd

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pd-snyk-integration @megg-pd