Closed
Description
Context :
Snyk has found a few things for us so far:
- Moving to a fork for jwt-go with a CVE fix (transient dependency) kubernetes#100401
- Update github.com/miekg/dns to pick up fix for CVE-2019-19794. kubernetes#97405
- Bump github.com/Azure/go-autorest/autorest/adal to 0.9.5 kubernetes#95692
We had been talking to Snyk for a while now:
- Track CVEs for kubernetes dependencies... community#2992
- https://kubernetes.slack.com/archives/CHGFYJVAN/p1595258034095300
- https://kubernetes.slack.com/archives/CHGFYJVAN/p1594810830090800
Currently @PushkarJ @navidshaikh and others are looking at possibilities of automating (at least a proof of concept) to see what's possible.
Just to be clear, All this is stuff we would do BEFORE a release. We are not talking about scanning containers here, just sanity check of dependencies that we pull in.
What's the ask?
- Request CNCF folks (hi @idvoretskyi !!) to create a Snyk free account and an Org for Kubernetes with those who are doing the proof of concept
- Then we need to email Snyk folks to add the ability to mint new service accounts which can then be used in CI.
If you all approve, i can open up a service desk ticket with CNCF and get this going.
thanks,
Dims
/area code-organization
/sig architecture