Skip to content

Commit

Permalink
Added Snyk Vulnerability Section to Docs (#32)
Browse files Browse the repository at this point in the history
  • Loading branch information
@bama4
bama4 committed Mar 10, 2021
1 parent c622069 commit f06cb32
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
Binary file added source/assets/snyk_circleci_fail.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
27 changes: 27 additions & 0 deletions source/developing-for-govready-q/index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -282,3 +282,30 @@ Currently Implemented
+---------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ``./manage.py test_screenshots --skip-checks`` | Skip system checks. |
+---------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------+

Handling Snyk Vulnerability Scanner Results
############################################

.. _Snyk: https://snyk.io/

GovReady-Q uses `Snyk`_ for vulnerability scanning of python dependencies. The scanner runs in CircleCi at each push to the remote repository.

When a CircleCi build fails at the Snyk stage, this is most likely due to the fact that there is a dependency being used with a reported vulnerability as seen in this build fail example:

.. image:: ../assets/snyk_circleci_fail.png
:width: 600

Take the following actions depending on the state of the vulnerability and how it is used in GovReady-Q:


1. Upgrade Package
------------------------------------------
In order to resolve the build fail, create a ticket to upgrade the vulnerable package to the latest version.

2. Avoid Using Vulnerable Code
------------------------------------------
If upgrading is not possible (ex. latest version has a vulnerability), ensure that the vulnerable portion of the package is not being used.

3. Downgrade If Necessary
------------------------------------------
If it is not possible to avoid using the package in a vulnerable manner, open a ticket to downgrade the package to the latest non-vulnerable version if possible.

0 comments on commit f06cb32

Please sign in to comment.