From e4dd09151890cf5bcac45149d19c9e45ae797bf9 Mon Sep 17 00:00:00 2001
From: Pedro Barreto <pedrosousabarreto@gmail.com>
Date: Wed, 19 Feb 2020 16:49:02 +0100
Subject: [PATCH] added snyk investigation findings (#175)

---
 code_quality_security/snyk_investigation.md | 30 +++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 code_quality_security/snyk_investigation.md

diff --git a/code_quality_security/snyk_investigation.md b/code_quality_security/snyk_investigation.md
new file mode 100644
index 000000000..edb243ac7
--- /dev/null
+++ b/code_quality_security/snyk_investigation.md
@@ -0,0 +1,30 @@
+Snyk NPM Scans
+
+Pros
+* Integrates with CircleCi (has specific orb)
+* Can be executed locally using a CLI (pre-commit hooks for example)
+* Can be configured to ignore some vulnerabilities or fail only above certain threshold
+* Slack integration and email reports
+* Ability to automatically create a PR with the fixes
+* Unlimited tests for OSS public projects
+* Large and up-to-date vulnerability database
+Cons
+* Fancy reports not available in free version
+* License compliance management not available in free version
+* API not available in free version
+
+Snyk Containers Scans
+
+Pros
+* Integrates with CircleCi (caveat below)
+* Scans Dockerfile(s)
+* Can be executed locally using a CLI, these appear to not count for the 100 scans limit
+* Can test images from Helm charts
+
+Cons
+* Limited to 100 tests per month
+* Kubernetes integration is for paid license only
+* Fancy reports not available in free version
+* License compliance management not available in free version
+* API not available in free version
+* Integrates with CircleCi requires access to DockerHub credentials (user+pass), not ideal