docs: Add Snyk status badge to README.md #12517
Conversation
Signed-off-by: Yuan Tang <[email protected]>
|
Unrelated: license scan has been failing for a long time. @agilgur5 Could you take a look? |
There was a problem hiding this comment.
I asked in #12470 (comment), but is Dependabot just behind Snyk? Since it should auto-update on security vulns.
Although in the case of #12515, there is no way to auto-update since it was using the Argo fork of go-git
Also left 1 comment in-line
This is waiting on Crenshaw (earlier Slack link) or someone else with existing FOSSA permissions to the Argoproj org, which I don't have |
agilgur5
added
type/security
Can I remove the badge for now? |
Signed-off-by: Yuan Tang <[email protected]>
terrytangyuan
changed the title
|
Yeah dependabot is not fast enough. |
|
Removed CI badge |
terrytangyuan
added
the
prioritized-review
It impacts our CLOMonitor score per #12032. So it would trade one failing badge in favor of a lower score in another badge, which I don't think is ideal either 😕 . I'd much rather fix the root cause (though I don't have permissions to do that myself) |
How much lower? |
I'm not sure from a quick check; it doesn't explicitly say in the docs (and I don't remember what it was beforehand), so I'd have to check its code to verify. Per #12032, CNCF has focused efforts on getting CLOMonitor scores up for a few years now. I wouldn't want to intentionally regress those. |
|
@terrytangyuan I got the license scan to pass now, see details in #12023 (comment) and further comments. |
|
Great to hear! Thanks! |
Signed-off-by: Yuan Tang <[email protected]> (cherry picked from commit 5cded3a)
This is to draw attention to security issues. Snyk has been failing for a couple of days but we haven't noticed even before recent patch releases (example fix for a recent issue #12515 but the patch release is already out before this). https://github.com/argoproj/argo-workflows/actions/workflows/snyk.yml?query=branch%3Amain