Thanks, Tony!
I've cross-posted this to fluid-work as I believe it'll also be a tool for
Fluid.
Here's my email to fluid-work, the same applies to GPII (re: org creation in
Snyk):
----
Hello,
There was a discussion in the GPII Architecture mailing list that started in
Oct 2015 when snyk.io was released and I believe it would beneficial to adopt
it for Fluid repositories.
Here are the relevant threads:
http://lists.gpii.net/pipermail/architecture/2015-November/thread.html
http://lists.gpii.net/pipermail/architecture/2017-April/thread.html
And here's more information about Snyk:
https://snyk.io/docs/faqs/
https://snyk.io/plans
I took the liberty of creating a "Fluid Project" organization in Snyk and
invited the Fluid Project's GitHub administrators to it (as I don't have
permission to add repositories).
Enabling Snyk for a repository means:
* A WebHook will get added to notify snyk.io of new PR and commits
* A notification will be added to new PRs to identify if they introduce
security vulnerabilities (within snyk's scope)
* The repository will be constantly monitored for new vulnerability
To clarify, Snyk is not a static code analyzer. It simply inspects
dependencies that have known vulnerabilities.
If there is consensus on adopting this tool, I would like to request that
someone with admin privileges to the Fluid Project in GitHub to access Snyk.io
and add the repositories.
Regards,
Giovanni
----
On 04/06/2017 04:50 AM, Tony Atkins wrote:
> Hi, Giovanni.
>
> Personally I would be happy to have this for every repo and PR. Even though
> many of us regularly run "npm outdated" (or "yarn outdated") and test our
> work with newer libraries, having a report on known bad versions gives us a
> consistent "trailing edge". By that I mean that if we haven't managed to
> otherwise update our dependencies when snyk identifies a problem, we have a
> good reason to take a moment and review.
>
> Anyway, +1 from me.
>
> Cheers,
>
>
> Tony
>
> On Wed, Apr 5, 2017 at 6:20 PM, Tirloni, Giovanni <[email protected]
> <mailto:[email protected]>> wrote:
>
> Snyk can monitor repositories and test new PRs for vulnerable packages.
>
> Is there interest in having this tool automatically monitoring our
> repositories? It's free for open source project.
>
> https://snyk.io/docs/github
>
> On 10/29/2015 02:29 PM, Steve Lee wrote:
> > https://snyk.io/
> >
> > Steve Lee
> > OpenDirective http://opendirective.com
> > _______________________________________________
> > Architecture mailing list
> > [email protected] <mailto:[email protected]>
> > http://lists.gpii.net/mailman/listinfo/architecture
> <http://lists.gpii.net/mailman/listinfo/architecture>
> >
> >
> _______________________________________________
> Architecture mailing list
> [email protected] <mailto:[email protected]>
> http://lists.gpii.net/mailman/listinfo/architecture
> <http://lists.gpii.net/mailman/listinfo/architecture>
>
>
_______________________________________________
Architecture mailing list
[email protected]
http://lists.gpii.net/mailman/listinfo/architecture
