Use Snyk Vulnerability Scanning
- Status: accepted
- Deciders: @dynamike, @pjdufour-truss
- Date: 2018-08-13
Context and Problem Statement
An area of security risk to MyMove is supply-chain risk. In the context of software development, supply-chain risk is the risk that a malicious actor could insert malicious code somewhere into a source code dependency. The actor could attack a dependency directly by modifying a git repo, upload bad code to a package manager, man in the middle during the build process, or a wide variety of other scenarios.
Scanning software for known vulnerabilities (e.g., CVEs) is a critical step for mitigating supply-chain risk. However, it does not completely mitigate against zero-days, custom attacks, or other supply-chain attacks.
Decision Drivers
- Seamlessly integrates into our CI/CD workflow
- Scans JavaScript for known CVEs
- Scans Golang dependencies for known CVEs
- Maintenance cost
Considered Options
- GitHub
- Sonatype
- Snyk
- SonarQube
- Twistlock
Decision Outcome
Chosen option: "Use Snyk for Vulnerability Scanning". We'll use snyk test
and snyk monitor
for one-time tests and monitoring of our dependency tree.
Pros and Cons of the Options
GitHub
- Good, scans JavaScript
- Bad, does not scan Go
- Bad, run as a cron job scheduled by GitHub
- Bad, cannot run as part of our CI/CD workflow
- Good, no maintenance cost
Sonatype
- Good, scans JavaScript
- Bad, does not scan Go at this time.
- Bad, it would require rearchitecting our entire CI/CD pipeline
Snyk
- Good, scans JavaScript
- Good, scans Go
- Good, could fit into our CI/CD workflow with some shell scripting.
- Bad, GitHub integration requires write access to repos.
- Bad, vulnerability database for Go seems limited.
SonarQube
SonarQube is a leading open source product for continuous code quality, including a "quality gate" that integrates seamlessly into CI/CD workflow.
- Good, scans JavaScript
- Unsure, scans Go (not sure it scans for CVEs)
- Good, seamlessly integrates into CI/CD workflow
- Bad, requires running our own instance on EC2.
Twistlock
Twistlock looks like it is working on amazing things, but doesn't satisfy our requirements for scanning for known vulnerabilities before deploy.
- Good, container-first approach and we use containers.
- Bad, no deep scans for known vulnerabilities (CVEs)
- Bad, doesn't seamlessly integrate into our CI/CD workflow for this requirement.