We have recently integrated Snyk in our github project and Snyk has this cool feature to "open a fix PR" for the vulnerability that it can directly fix ... The PR is opened up but our CI/CD pipeline expects a DCO i.e., commit signoffs ... However, Snyk does not sign off the commits nor could I find an option in the documentation to enable it.
For Reference PR, please check Kubearmor PR#542.
CodePudding user response:
You'll need to pull the PR changes locally and for you to sign them off.
The purpose of the sign-off is to indicate you've looked at these changes, not just to verify the identity of the author. You can still sign off the commits made by Snyk.
But GitHub won't do that in its PR on your behalf.