I see that I’ll need to run the snyk CLI in CI in order to do that, but this requires credentials. Additionally, I’m wondering if I’ll need to create the project in Snyk ans so on? The LFX documentation doesn’t say how the integration between Snyk and LFX Security works, so I’m kind of blind as to what will be required to do on my side.
I can open an LF ticket if that’s a better way to ask for that.
Hey, Snyk supports C++, see Snyk for C/C++ - Snyk User Docs. At least it supports vulnerability reports. It doesn’t report licenses I think. All C+ is only supported through the CLI. That’s why I said I’ll need to use the CLI, but for that I need credentials and a project in Snyk. How does that work with LFX Security? For example in other places, I’ve seen suggestions to run BluBracket as part of CI so that we get sensitive language + secret scanning as part of PRs, etc. Wouldn’t that require API credentials too?
Once connected, can run all the Snyk CLI commands. Feel free to publish the results into our account via the snyk monitor command. These would be later fetched and displayed into the LFX Security console.
Thank you! I saw that. I’ll try a simple test (without uploading) to see if everything works.
I have a ticket opened with Snyk right now so that they can fix some problems with the scan of one of our projects. So far I’ve been using my own user+org. Once the Snyk problems are sorted out, I’ll be able to publish straight using the provided API key.
Hey, so the key I received worked. But now I’m blocked by Snyk. I have a ticket opened with them because it’s not to correctly find our C++ dependencies, even if we have one of the simplest setup out there (all our dependencies are unmodified git submodules, which means Snyk should be able to find all files, etc). The last update I had from them was “we are sorry but it’ll take a long time before we can look at your ticket”. Is there a way to potentially speed that up a bit?
I’m starting to think that we might be better with publishing an SBOM to GH using Using the Dependency submission API - GitHub Docs. I’d need a custom tool to generate an SBOM from submodules, but that should be easy to write. The downside is that it won’t show up in LFX Security.
Does someone have any opinions on what we should do next?