Using Snyk with Mergify
Streamline your dependency management.
Dependency management is pivotal for maintaining a robust and secure project. But with regular updates, security patches, and version changes, it can become overwhelming. Snyk and Mergify combined, offer a powerful solution to streamline this process.
Snyk is a developer-focused security platform. Apart from its renowned vulnerability scanning capabilities, it offers automated pull requests for dependency updates. Regularly, Snyk checks your project dependencies, and upon identifying a newer version, opens a pull request on your GitHub repository. This PR contains detailed information about the update, allowing for a thorough review.
- Choose a GitHub repository.
- Create a Mergify account and integrate it with your repository.
- Create a Snyk account and link it to your GitHub repository.
Sign-up/log-in to Snyk.
Add projects, and import the desired GitHub repositories.
- To enable automated dependency upgrades:
- Scroll to
Automatic dependency upgrade PRsand activate it.
Log in to Mergify with your GitHub credentials.
Select the repositories you want Mergify to manage.
Define the merge policy using the Mergify configuration file file in the repository root.pull_request_rules:- name: Automatic merge Snyk PRs on Status Checks passingconditions:- author = snyk-bot- base = mainactions:merge:method: merge
This configuration ensures that Snyk PRs are automatically merged when they meet the defined conditions.
If you are using Mergify merge queue in projects where there are frequent updates to a large number of small libraries, it's efficient to batch these updates together. Using Mergify's merge queue feature, you can automatically batch and test these updates together, reducing CI load and ensuring compatibility.
For example, you could set up a merge queue to batch those PRs 10 by 10:
queue_rules:# If you have other queues defined, add this at the end so it is processed last- name: dep-updatebatch_size: 10# Wait for up to 30 minutes for the batch to fill upbatch_max_wait_time: 30 minqueue_conditions:- author = snyk-botpull_request_rules:- name: Automatically queue Snyk PRsconditions:- author = snyk-botactions:queue:
To avoid being overwhelmed with too many PRs, consider the following strategies using Snyk:
Limit Open Upgrade PRs: Restrict the number of simultaneous Snyk upgrade PRs.
Selective Package Upgrades: Choose specific packages to exclude from automated updates.
Scope of Changes: Opt for automatic upgrades of only minor and patch versions to avoid potential breaking changes.
Automatically Merge: Merge the pull requests as soon as they are ready.
Batch Merge: Leverage batches to save CI time when using Mergify's Merge Queue.
When integrated, Mergify and Snyk transform dependency management into a seamless process. Developers no longer need to keep tabs on every update or fear merging PRs that might break the CI. By leveraging these tools, projects stay updated, secure, and efficient, letting teams focus on what they do best: creating excellent software.