community-platform
community-platform copied to clipboard
ONEARMY
[optimisation] Snyk / Netlify / Zap proxy / Lighthousebot
Is your feature request related to a problem? Please describe. More security and automated testing for PRs and dev environment before code makes it into live site
Describe the solution you'd like
- Snyk - can detect dependencies that have security alerts on them and raise PRs. Good to keep the project up to date but does rely on having a good test suite, so you know nothing will break.
- Netlify - Can allow you to deploy whole site for PRs, so more dynamic tests can be run, so you can know if new code is introducing performance or security issues. Also will allow you to run more dev environments for different purposes.
- Zap proxy - Dynamic security testing
- Lighthousebot - performance budgets
- ESLint Security - static security type checking
- Nodejsscan - static security scanning
I thought I would raise an issue before opening PRs for some of these possible features / additions. Also some of them require admin / contributor access to the repo, so I can't set some of them up.
Could of uses github security alerts feature of dependency.io for security update. Also could look to use websitepagetest for performance budgets as well.
Sounds like some good additions, I use snyk and lighthouse a lot, interested to look a bit more into the others. At this point we really haven't started much on optimisations, but having a few benchmark scores would be nice and give us an indication of how much/little there is to do.
If you let me know which of these will need api keys I can set them up using the project admin email account. Also whichever need admin github integration just let me know
@chrismclarke Im interested in becoming a contributor more often if it helps set these things up easier. Here is an example PR, from snyk high security fixes and runs the build and deploys with Netlify, you can then view the PR build site. https://github.com/wallies/onearmy/pull/5 https://app.netlify.com/sites/focused-perlman-fc922a/deploys/5d609e1fc5bf2b00075d762b
Otherwise you will need to sign up for snyk.io and netlify and you can probably do automated PRs, as they can run against run tests and you can see if it passes and if you setup Netlify with it you can see if anything breaks.
Will raise PRs for eslint security and zap proxy integration
@chrismclarke so we have zap, lighthouse bot, eslint security so far merged into the Ci testing branch. The of r major thing from above is definitely setting up netlify, then you can have dynamic Ci envs
Thanks @wallies, all the additions are really appreciated. I haven't used netlify myself before but taking a quick look through the docs and a few forums seems like a pretty solid option and fits well with our model of slowly transitioning away from a dependency on firebase (although still nice to have as an option of course).
Although I don't think we would need to take the full leap until we are ready to move the full stack (incl. file hosting, backend functions and db). I would suggest holding off for now unless there is something critical that just can't be done with the current ci pipelines.
Yeh I definitely dont suggest moving the full stack to Netlify yet. Im more advocating for doing something like this https://github.com/wallies/onearmy/pull/11. This has snyk integration yes, but the main thing here is netlify build on PR, then lighthousekeeper runs against the PR netlify build. Also added nodejsscan, which is a static security scanner.
Hi @wallies @BenGamma @chrismclarke. Thanks for giving Lightkeeper a try! I'd appreciate if you could give it a ⭐️ if you found it helpful. Thanks!
