Support 3rd party vulnerabilityAlerts providers

[ArtyomGabeev]

Tell us more.

Right now vulnerabilityAlerts feature works only on github platform.
We use the provided API to find existing vulnerabilities in the repository.
I think the feature is great, but it's limited only for GitHub users.

Can we add support for 3rd party vulnerability scan tools?
I'm interested in one, based on snyk.io integration. We can use snyk.io provided rest api to build a list of VulnerabilityAlert objects.

If we are interested in, I would like to understand how to proceed:

1. Have a snyk or any 3rd party integration as part of renovate code base
2. Allow to run external process/command, similar how we do with postUpgradeActions and parse sout response.

Note:
I can contribute this change, if it's applicable.

[rarkins]

Unfortunately no. Renovate is built/funded by Mend.io, which is a direct competitor to such alerting companies (especially Snyk). Although the Open Source Renovate project exists almost entirely independently of Mend.io commercial requirements, we definitely don't want to support direct competition. i.e. our competitor gets paid, but we do not. It's simply not possible to continue funding this project under such circumstances.

This type of integration can be supported in Renovate Enterprise however, so feel free to reach out to Mend's sales org with your request if you're interested: https://www.mend.io/renovate/

[ArtyomGabeev]

I understand your point.

However, there are open source alternatives, like:
https://central.sonatype.com/artifact/org.owasp/dependency-check-maven/9.2.0/&smo=true
https://github.com/jeremylong/DependencyCheck
Which uses National Vulnerabilities Database: https://nvd.nist.gov/
or other CVE based DBs: https://cve.mitre.org/cve/search_cve_list.html

Can we allow users to specify vulnerability alert providers as external commands/programs (similar to postUpgradeActions) in order to provide hints to renovate without mentioning specific implementations?

[rarkins]

Renovate supports the OSV DB

[ArtyomGabeev]

I found an osv repo in renovate org. Can it be used with self-hosted runners? Any docs on how to configure it?

[rarkins]

Yes, search the renovate docs for "osv"