With the GitHub Integration we configured in Section 1, Snyk is able to open Pull Requests to upgrade dependencies to non-vulnerable versions, helping to accelerate remediation.
Log into Snyk, and go into the
gh-actions-academy project imported earlier. Scroll down to see the list of vulnerabilities present, ordered by our proprietary Priority Score. For each Vulnerability, Snyk displays:
The module that introduced it and, in the case of transitive dependencies, its direct dependency,
Details on the path and proposed Remediation, as well as the specific vulnerable functions
When using the GitHub integration, and if a fix is available, Snyk can automatically upgrade the vulnerable dependency to a non-vulnerable version through a Pull Request. Click on "Fix this vulnerability" to do so.
On the next screen, you'll be able to confirm the issue to fix with this PR.
Looks good! Go ahead and open the PR.
Once it's ready, you'll be taken to the PR in GitHub, where you can review the changes in the file diff view:
We see that CI checks completed successfully, assuring us we didn't introduce a breaking change.
Now, go ahead and merge the PR! You can also delete the branch. Back in Snyk, we can appreciate that our
package.json file has 1 less High Severity Vulnerability.
Let's fast track to a clean
develop branch with another Pull Request. This time, from the
all-fixes branch into
all-fixes branch was created by using the Snyk Wizard against our
develop branch. If you'd rather do this yourself,
git clone the repo to your workstation and run
snyk wizard against it. We recommend pushing changes into a new branch so you can continue the workshop from there.
Create a New Pull Request from
develop. This introduces some changes:
The creation of a
.snyk file, which is used to track changes made by
package-lock.json files with updated dependencies.
You can explore these changes in the Comparing Changes view to learn more. When ready, finish creating and Merge the Pull Request.
If you left the Pull Request from Section 2 open, you can re-visit it in the Pull Requests tab.
When the workflows re-run, this time, the Snyk Security gate and CI jobs should complete successfully.
Merge in the changes, and feel good that your
PROD branch is free from Open Source Vulnerabilities! 🏆
You made it to the end of Part 1! Congratulations! Proceed to Part 2 to see how Snyk Container can help you keep this application secure as you package it in a container.