I haven't received any objections to Snyk so I'm proceeding by lazy consensus rules.
Snyk has been activated for the GPII repositories. On 04/06/2017 09:49 AM, Tirloni, Giovanni wrote: > Thanks, Tony! > > I've cross-posted this to fluid-work as I believe it'll also be a tool for > Fluid. > > Here's my email to fluid-work, the same applies to GPII (re: org creation in > Snyk): > > ---- > Hello, > > There was a discussion in the GPII Architecture mailing list that started > in Oct 2015 when snyk.io was released and I believe it would beneficial to > adopt it for Fluid repositories. > > Here are the relevant threads: > > http://lists.gpii.net/pipermail/architecture/2015-November/thread.html > http://lists.gpii.net/pipermail/architecture/2017-April/thread.html > > And here's more information about Snyk: > > https://snyk.io/docs/faqs/ > https://snyk.io/plans > > I took the liberty of creating a "Fluid Project" organization in Snyk and > invited the Fluid Project's GitHub administrators to it (as I don't have > permission to add repositories). > > Enabling Snyk for a repository means: > > * A WebHook will get added to notify snyk.io of new PR and commits > * A notification will be added to new PRs to identify if they introduce > security vulnerabilities (within snyk's scope) > * The repository will be constantly monitored for new vulnerability > > To clarify, Snyk is not a static code analyzer. It simply inspects > dependencies that have known vulnerabilities. > > If there is consensus on adopting this tool, I would like to request that > someone with admin privileges to the Fluid Project in GitHub to access > Snyk.io and add the repositories. > > Regards, > Giovanni > ---- > > On 04/06/2017 04:50 AM, Tony Atkins wrote: >> Hi, Giovanni. >> >> Personally I would be happy to have this for every repo and PR. Even though >> many of us regularly run "npm outdated" (or "yarn outdated") and test our >> work with newer libraries, having a report on known bad versions gives us a >> consistent "trailing edge". By that I mean that if we haven't managed to >> otherwise update our dependencies when snyk identifies a problem, we have a >> good reason to take a moment and review. >> >> Anyway, +1 from me. >> >> Cheers, >> >> >> Tony >> >> On Wed, Apr 5, 2017 at 6:20 PM, Tirloni, Giovanni <[email protected] >> <mailto:[email protected]>> wrote: >> >> Snyk can monitor repositories and test new PRs for vulnerable packages. >> >> Is there interest in having this tool automatically monitoring our >> repositories? It's free for open source project. >> >> https://snyk.io/docs/github >> >> On 10/29/2015 02:29 PM, Steve Lee wrote: >> > https://snyk.io/ >> > >> > Steve Lee >> > OpenDirective http://opendirective.com >> > _______________________________________________ >> > Architecture mailing list >> > [email protected] <mailto:[email protected]> >> > http://lists.gpii.net/mailman/listinfo/architecture >> <http://lists.gpii.net/mailman/listinfo/architecture> >> > >> > >> _______________________________________________ >> Architecture mailing list >> [email protected] <mailto:[email protected]> >> http://lists.gpii.net/mailman/listinfo/architecture >> <http://lists.gpii.net/mailman/listinfo/architecture> >> >> > _______________________________________________ > Architecture mailing list > [email protected] > http://lists.gpii.net/mailman/listinfo/architecture > _______________________________________________ Architecture mailing list [email protected] http://lists.gpii.net/mailman/listinfo/architecture
