π§ chore(security): drop Snyk, consolidate dep/CVE scanning on Grype#441
Merged
Conversation
Snyk's GitHub SCM integration scans the full dependency requirement graph across every package.json/package-lock.json instead of the resolved, shipped dependency set, so it over-reports advisories in transitive packages the lockfile never resolves to β noise on top of a redundant paid integration. Grype matches lockfile-resolved versions and scans the built image's package catalog, so no requirement-graph false positives. - ποΈ Removed Snyk wiring: .snyk policy, security-snyk-weekly.yml, the setup-snyk composite action, and the scripts/snyk-* gate/quota scripts - β¨ Added security-grype.yml: grype-deps (all six npm lockfiles; on PRs path-filtered to deps/Dockerfile/workflow + weekly cron + dispatch) and grype-image (built container, scheduled/manual only). SHA-pinned, harden-runner, persist-credentials:false, distinct SARIF categories, upload gated on public-repo visibility, fail-build on HIGH/CRITICAL - π Reworded the lefthook comment, dropped the README + apps/web Snyk badges, reworked the CONTRIBUTING scanning section, updated docs/ci-flow.html - π CHANGELOG: Unreleased β Changed entry with the requirement-graph vs shipped-deps rationale - No govulncheck job and no Trivy: drydock is TypeScript/Node (not Go), and Grype already covers the SCA + container surface. CodeQL, dependency review, OpenSSF Scorecard, and zizmor remain as the free gates
The six closed/won't-fix cards tracked findings in security-snyk-weekly.yml and the scripts/snyk-* gate scripts, all now removed. Dropped the cards, deleted the now-empty hardening + decisions sections (and their dead CSS), and corrected the summary chips (26->21 closed, removed the 0 won't-fix chip).
scttbnsn
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Codecov Reportβ All modified and coverable lines are covered by tests. π’ Thoughts on this report? Let us know! |
biggest-littlest
approved these changes
Jun 16, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
LGTM. Snyk wiring fully removed, Grype workflow is SHA-pinned with the container scan correctly gated off PRs. Grype dep scan + all required checks green.
ALARGECOMPANY
approved these changes
Jun 16, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Approving β clean cutover to Grype, rationale documented in the CHANGELOG. No required-check or branch-protection changes.
scttbnsn
added a commit
that referenced
this pull request
Jun 16, 2026
β¦ gate (#442) ## What Clears the HIGH/CRITICAL container-image CVEs that the new `grype-image` scan (added in #441) surfaced, and scopes the Grype image gate so it stays accurate going forward. Before this change the built release image reported **11 critical + 22 high**. After it: **0 HIGH/CRITICAL outside the two bundled third-party tool binaries** (`cosign`, `trivy`), which are triaged with a documented, location-scoped `.grype.yaml`. ## Changes - **`Dockerfile`** β bump the base + pins that carried the fixable CVEs: - `node:24-alpine` β Alpine 3.24.1 digest (clears the Node-runtime CVE, musl, curl Γ2, git) - `bash 5.3.3-r1 β 5.3.9-r1`, `git 2.52.0-r0 β 2.54.0-r0` - `cosign 2.6.3-r1 β 3.0.6-r1` (clears the bulk of the vendored-Go cosign CVEs; CLI `verify` flags drydock uses are unchanged) - **`.grype.yaml`** (new) β location-scoped `ignore` for `/usr/bin/cosign` and `/usr/bin/trivy` only. These are vendored Go-module CVEs compiled into the upstream tool binaries; we can't patch them independently β they clear when Alpine rebuilds those packages, which we pick up on the next base bump. The Node runtime, every OS package, and the entire app dependency graph stay fully gated. Gating on a module graph we don't ship is the same manifest-vs-shipped mismatch we dropped Snyk over. - **`security-grype.yml`** β wire `GRYPE_CONFIG` to the repo-root `.grype.yaml` so the gate is deterministic across action versions (grype also auto-discovers it, but pinning the path is explicit). - **`CHANGELOG.md`** β `Security` entry under Unreleased. ## Verification - Full release image scan: `grype --fail-on high` with the config exits **0** (was exit 2 / 33 findings). HIGH+ findings outside the two triaged binaries: **0**. - cosign 3.0.6 CLI confirmed compatible with `app/security/scan.ts`'s `verify --output json --key --certificate-identity --certificate-oidc-issuer`. - qlty / hadolint / yamllint clean on changed files. The red `grype-image` alerts currently in the Security tab will auto-close on the next scan once this lands (the new SARIF no longer reports them).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Decommissions Snyk and consolidates dependency/CVE scanning on Grype.
Why
Snyk's GitHub SCM integration scans the full dependency requirement graph across every
package.json/package-lock.jsonrather than the resolved, shipped dependency set, so it over-reports advisories in transitive packages the lockfile never resolves to β noise on top of a redundant paid integration that, in practice, was never even wired up (SNYK_TOKENwas never set, so the weekly jobs always took the skip path). Grype matches lockfile-resolved versions and scans the built image's package catalog, so no requirement-graph false positives.What
Removed
.snykpolicy file.github/workflows/security-snyk-weekly.yml(6-job paid-scan workflow).github/actions/setup-snyk/composite actionscripts/snyk-*gate + quota scripts (+ its test)apps/web) Snyk badges; reworked the CONTRIBUTING scanning section; updateddocs/ci-flow.html; dropped the stale Snyk cards fromdocs/audit-findings.htmlAdded β
security-grype.yml(nogovulncheck; drydock is TypeScript/Node, not Go)grype-depsβanchore/scan-action path: .over all six npm lockfiles (root, app, ui, e2e, apps/demo, apps/web); runs on PRs (path-filtered to deps/Dockerfile/workflow) + weekly cron + dispatchgrype-imageβ builds + scans the container;if: github.event_name != 'pull_request'so PRs don't pay for a Docker buildpersist-credentials: false, distinct SARIF categories, upload gated on public-repo visibility,fail-buildon HIGH/CRITICALCodeQL (SAST),
dependency-review, OpenSSF Scorecard, and zizmor remain as the free gates. Trivy intentionally not added.Verification
git archive HEAD | grype dir:β¦ --fail-on highβ No vulnerabilities foundThe Snyk org-dashboard + GitHub-app teardown is the only remaining step, done by the owner in the Snyk UI β the repo side is clean. The unused
ci-securityenvironment was already deleted.