Skip to content

Commit

Permalink
Merge pull request #35 from GovReady/ma-document_handling_snyk
Browse files Browse the repository at this point in the history 
Added Snyk Vulnerability Section to Docs (#32)
  • Loading branch information
@davidpofo
davidpofo authored Apr 23, 2021
2 parents 45817f7 + 9f3a852 commit 95400ca
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
Binary file added source/assets/snyk_circleci_fail.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
31 changes: 30 additions & 1 deletion source/developing-for-govready-q/index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,10 +203,39 @@ Currently Implemented
| ``./manage.py test_screenshots --skip-checks`` | Skip system checks. |
+---------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+


Handling Snyk Vulnerability Scanner Results
############################################

.. _Snyk: https://snyk.io/

GovReady-Q uses `Snyk`_ for vulnerability scanning of python dependencies. The scanner runs in CircleCi at each push to the remote repository.

When a CircleCi build fails at the Snyk stage, this is most likely due to the fact that there is a dependency being used with a reported vulnerability as seen in this build fail example:

.. image:: ../assets/snyk_circleci_fail.png
:width: 600

Take the following actions depending on the state of the vulnerability and how it is used in GovReady-Q:


1. Upgrade Package
------------------------------------------
In order to resolve the build fail, create a ticket to upgrade the vulnerable package to the latest version.

2. Avoid Using Vulnerable Code
------------------------------------------
If upgrading is not possible (ex. latest version has a vulnerability), ensure that the vulnerable portion of the package is not being used.

3. Downgrade If Necessary
------------------------------------------
If it is not possible to avoid using the package in a vulnerable manner, open a ticket to downgrade the package to the latest non-vulnerable version if possible.

Invitations on local systems
----------------------------

You will probably want to try the invite feature at some point. The
debug server is configured to dump all outbound emails to the console.
So if you “invite” others to join you within the application, you’ll
need to go to the console to get the invitation acceptance link.
need to go to the console to get the invitation acceptance link.

0 comments on commit 95400ca

Please sign in to comment.