Should we enable Snyk PR integration? #1094
Comments
|
Much of this integration's goal is to keep projects free of vulnerable dependencies continuously, but it's worth noting some projects under @nodejs use vulnerable packages today, as you can see in these test reports: This integration will make it easy to find out about these issues and fix them with a click with the right upgrades and patches. |
That sounds correct. |
I think all of those repos are not actively used? |
|
@Fishrock123 they indeed all see to have pretty old commits, just wasn't sure if they're still deployed somewhere. |
|
Since no objects has been made, I'm trying to get this setup. For reference I'm adding a couple of screenshots showing what I'm seeing. The first grant access screen (1) looks promising. Not so much for the request nodejs organization permissions modal (2) tho which is really misleading if it's true that Snyk won't actually request access to private org data. I've requested permissions from the nodejs org. Lets see if the org admins will grant it or not. Screenshot 1Screenshot 2 |
|
@phillipj I believe the private information in this statement only refers to the list of users in the org and perhaps some other metadata. The team is confirming that's accurate right now. As you can see in the first screen, we're definitely not requesting (nor getting) access to private repos. Last note - we request write access only because that's the only way that allows us to set a webhook. We never commit code to the repo otherwise, only submit fix pull requests. |
That might still be something we don't want. IIRC @ChALkeR might have some concerns about exposing org users?
If we were able to add that webhook manually ourselfs, would we avoid this issue entirely? |
|
The new GitHub integrations API has a more fine-grained permission system (and automatically creates a webhook). |
@phillipj the webhook creation needs to come from our server, as we add a secret to sign posted webhooks so we can trust their source to be GitHub. |
|
Denied, sorry. Access to 'private data' is too coarse.
This might be problematic. I don't think I can unilaterally agree to the T&C for the nodejs organization. Probably has to be brought up at a CTC or TSC meeting. |
|
Agree that the access to the "private organizational data" is far too vague to approve this. Our policy is to prevent access to private data by default. It needs to be clarified exactly what private data Snyk would have access to and the CTC or TSC would need to review and approve it. |
|
All, thanks for looking into this. Perhaps one of the admins on the repo, who can choose to grant the permissions locally, could browse to https://snyk.io/add and attempt to grant the (public only) access there? This should skip the second prompt which, as I mentioned, is simply a bit poorly phrased... |
|
As a general rule we don't enable org wide access to external applications for security reasons. We have sensitive information in private repositories. Being that there are only a few repos that we want to enable Snyk can we just configure a proper hook per repository? |
|
@mikeal, the hook needs to be setup by our system as it includes a shared secret to verify requests. However, you can easily control access further by creating a user that has access only to specific repos and integrate through that user. Would that be a valid way to set it up? |
No repos under the nodejs org is listed there. Not under the "other repositories" tab either. |
|
Philip, The repos you're seeing are based on the permissions you granted.
Since you didn't grant us permissions to the Nodejs org (you've made a
request but sounds like it wasn't approved yet), the repos you see and test
don't include that org.
My suggestion was that an admin in the org try that flow, as they would be
able to grant access directly, just to better demonstrate there is no
further "private" info we get access to, which is unclear from that pesky
bad phrasing in the GitHub second prompt :)
On Fri, 13 Jan 2017 at 07:38 Phillip Johnsen ***@***.***> wrote:
Perhaps one of the admins on the repo, who can choose to grant the
permissions locally, could browse to https://snyk.io/add and attempt to
grant the (public only) access there?
No repos under the nodejs org is listed there. Not under the "other
repositories" tab either.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1094 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABDh2ty7cNwFUt-uE_IB-qQGQo-ygAdbks5rRynegaJpZM4LcEhv>
.
--
--
Guy Podjarny | snyk.io | @guypod
|
|
All, it's been a long while since we had this conversation. Would now be a good time to integrate Snyk into the public Node.js repos? |
|
BTW: The private repos have been moved out nodejs/TSC#320. Does that help the situation? |
|
@Fishrock123 can you please take a look? |
|
@lpinca I've been uninvolved in this conversation to this point and it's not clear to me why I'm being cc'ed. Can you elaborate a bit? |
|
@Trott yes, sorry. I'll try to summarize. There was an attempt to enable Snyk on this repo which failed becuase Snyk required an org wide permission. @guypod argued that it's possible to grant access only to public repos.
So I tried to get the attention of some active org owners. |
|
BTW: Same goes for GitLocalize and Greenkeeper. Would be great assets for us. |
|
@fhemberger I got a solution from platform engineer of GitHub. I will share it soon. |
|
There are still sensitive repos in the org. Unless these applications can guarantee that they don't have private repo access I can't enable them, for now, still. We have the |
|
Got pinged to see if I was able to cancel the previous authorisation request, but I haven't found that anywhere on github.com so far. I tried to go through the authorisation process again, although the process seem to have been changed slightly, I'm not even able to request permissions anymore. This is what I did with a couple of added screenshots:
Click that red cross in step 4 doesn't delete my previous request, but sends me to an info page about OAuth restrictions. Screenshot 1Screenshot 2 |
|
@phillipj I think GitLocalize and Snyk has same problem. if you are member of Snyk. Let's solve this problem together. |
|
@sotayamashita I'm with Snyk, let's talk this through. How about a quick call to discuss? Can you ping a note to contact@snyk.io and I'll take it from there? |
|
Removed Snyk for the moment (see #1402), as we just push out static HTML and don't run any actual Node.js code in production. Closing this, but feel free to re-open once we want it back in place. |
|
@guypod My bad, I didn't notice you there. If you've straggled with it already, let's talk!! I will send a email. |
|
@sotayamashita hey Sam, I joined Snyk's dev rel team and can perhaps jump on a call to discuss this further - I'd be keen to help get this up and running again. I'm at simon@snyk.io. |
In August w/#841 we introduced Snyk to the project, but unfortunately wasn't able to turn on the PR integration of Snyk. That's cause it used to require private organisation wide access, which is a big no-no for the nodejs organisation.
I've been informed by @guypod that Snyk recently has made it possible to only provide public organisation wide access. AFAIK such permissions could be allowed by the nodejs org, @nodejs/ctc please correct me if I'm wrong.
@nodejs/website any thoughts on trying to enable this integration?
More about Snyk PR/alerts @ https://snyk.io/features.
The text was updated successfully, but these errors were encountered: