Using Snyk with Mergify

Streamline your dependency management.

Dependency management is pivotal for maintaining a robust and secure project. But with regular updates, security patches, and version changes, it can become overwhelming. Snyk and Mergify combined, offer a powerful solution to streamline this process.

Snyk is a developer-focused security platform. Apart from its renowned vulnerability scanning capabilities, it offers automated pull requests for dependency updates. Regularly, Snyk checks your project dependencies, and upon identifying a newer version, opens a pull request on your GitHub repository. This PR contains detailed information about the update, allowing for a thorough review.

Snyk pull request details on GitHub

Setting Up Automated Dependency Upgrades with Snyk

Section titled Setting Up Automated Dependency Upgrades with Snyk
  1. Initial Setup

    • Choose a GitHub repository.
    • Create a Mergify account and integrate it with your repository.
    • Create a Snyk account and link it to your GitHub repository.
  2. Configuring Snyk

    • Sign-up/log-in to Snyk.

    • Go to Projects > Add projects, and import the desired GitHub repositories.

    Enable desired repositories on Snyk
    • To enable automated dependency upgrades: Settings > Integrations > GitHub.
    Showing GitHub integrations menu in Snyk
    • Scroll to Automatic dependency upgrade PRs and activate it.
    Automatic dependency upgrade PRs in snyk interface
  3. Mergify Configuration

    • Log in to Mergify with your GitHub credentials.

    • Select the repositories you want Mergify to manage.

    • Define the merge policy using the Mergify configuration file file in the repository root.

      - name: Automatic merge Snyk PRs on Status Checks passing
      - author = snyk-bot
      - base = main
      method: merge

      This configuration ensures that Snyk PRs are automatically merged when they meet the defined conditions.

If you are using Mergify merge queue in projects where there are frequent updates to a large number of small libraries, it’s efficient to batch these updates together. Using Mergify’s merge queue feature, you can automatically batch and test these updates together, reducing CI load and ensuring compatibility.

For example, you could set up a merge queue to batch those PRs 10 by 10:

# If you have other queues defined, add this at the end so it is processed last
- name: dep-update
batch_size: 10
# Wait for up to 30 minutes for the batch to fill up
batch_max_wait_time: 30 min
- author = snyk-bot
- name: Automatically queue Snyk PRs
- author = snyk-bot

Tips for Efficient Dependency Upgrades

Section titled Tips for Efficient Dependency Upgrades

To avoid being overwhelmed with too many PRs, consider the following strategies using Snyk:

  1. Limit Open Upgrade PRs: Restrict the number of simultaneous Snyk upgrade PRs.

  2. Selective Package Upgrades: Choose specific packages to exclude from automated updates.

  3. Scope of Changes: Opt for automatic upgrades of only minor and patch versions to avoid potential breaking changes.

  4. Automatically Merge: Merge the pull requests as soon as they are ready.

  5. Batch Merge: Leverage batches to save CI time when using Mergify’s Merge Queue.

When integrated, Mergify and Snyk transform dependency management into a seamless process. Developers no longer need to keep tabs on every update or fear merging PRs that might break the CI. By leveraging these tools, projects stay updated, secure, and efficient, letting teams focus on what they do best: creating excellent software.