-
Task
-
Resolution: Done
-
L3 - Default
-
None
-
None
As part of https://jira.camunda.com/browse/OPT-5921, we evaluated replacing or supplementing dependabot with Snyk. While dependency management functionality is largely similar, Snyk offers more functionality in terms of security vulnerability scanning and also allows scanning of docker images, something we don't currently have. Furthermore, the cost of integration appears to be fairly low, and has also already been done by other teams so we have internal precedence
ATs:
- Snyk is used for docker image vulnerability scanning
- Optional: Snyk is used for dependency management (it is also acceptable for this to stay with dependabot if there is good justification)
- Code scanning can stay with sonar right now, and we can evaluate whether or not Snyk can replace this in future
- Maintenance branches are still targeted for dependency updates
Hints:
- https://confluence.camunda.com/display/HAN/Vulnerability+Scanning+with+Snyk
- Infra can assist with setup
- We should investigate whether or not Snyk can also help us proactively identify CVEs