The more I try to use Snyk, the more I hate it with a passion. Seems like their motto is "collect everything, then drown in the garbage". Same things (like policies) can be done in three different places and none of them are consistent -- .snyk file vs API vs org policies. Depending on how and where you scan stuff, you get different results, and they're totally fine with it (at least it's documented).
=> More informations about this toot | More toots from karlpoe@fosstodon.org
Shift left? More like sweep under the rug and forget it, because no sane person will deal with the amount of garbage it tries to cram down your throat.
=> More informations about this toot | More toots from karlpoe@fosstodon.org
And in all fairness, a lot of the frustration comes from the fact that where I try to use it now, Snyk was rolled out without any consideration. More of a tool that was bought to satisfy some compliance needs, but beyond that no real ownership -- "just deal with it" ™️
=> More informations about this toot | More toots from karlpoe@fosstodon.org
@karlpoe pro tip: don't deal with it.
If you're supposed to be using it as a box ticking tool - tick the box and move on.
But if you want to...
We've added a central policy file, pulled in manually, for all (300+) repositories. That's the only way to add ignores for us. Only 2-3 select persons ever look at results - we don't want all developers to be distracted by it. We escalate to team leads if necessary. It's mostly noise, but it has alerted us to an XSS in the stack. Once. In like 6-7y.
=> More informations about this toot | More toots from dominykas@fosstodon.org
@dominykas that's super helpful, and in fact what I was leaning towards. Glad to get some validation that it's not me, it's the tool/situation. Made my day, thanks 🙂
=> More informations about this toot | More toots from karlpoe@fosstodon.org
@karlpoe that's also not the fault of Snyk (although they could and should do better). All similar tools produce the same amount of noise and burden. Maaaybe socket.dev can improve on that, but generally - this is a commodity and nobody cares about actual security in the supply chain.
=> More informations about this toot | More toots from dominykas@fosstodon.org
@dominykas agree, but they sure as hell don't make it any easier to focus on what's actually important. Found something along the lines of "Snyk means so now you know" in regards to someone asking why can they not ignore certain stuff. Made want to 🤮
=> More informations about this toot | More toots from karlpoe@fosstodon.org This content has been proxied by September (3851b).Proxy Information
text/gemini