-
Notifications
You must be signed in to change notification settings - Fork 114
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
sast-snyk-check: increased version to 0.3
Resolves: https://issues.redhat.com/browse/OSH-737 In this version, the severity-threshold argument is introduced and enabled by default to high and the results are parsed with csgrep to be uploaded with the fingerprint. This MR needs to be merged after this one: https://github.com/jperezdealgaba/konflux-test/pull/1/files
- Loading branch information
1 parent
f7e5465
commit 38f3878
Showing
3 changed files
with
188 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Migration from 0.2 to 0.3 | ||
|
||
Version 0.3: | ||
|
||
- The `--severity-threshold` argument has been introduced and enabled by default with "high" value. Only high or superior vulnerabilities will be shown. Possible values for this argument are: `low`, `medium` and `high`. | ||
- The results are parsed using `csgrep` and they are uploaded as results with a generated fingerprint. | ||
- There are no default arguments as "--all-projects --exclude=test*,vendor,deps" are ignored by Snyk Code | ||
- The results are uploaded as SARIF files to the registry | ||
- SARIF produced by Snyk Code is not included in the CI log. | ||
|
||
## Action from users | ||
|
||
Renovate bot PR will be created with warning icon for a sast-snyk-check which is expected, no action from users are required. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# sast-snyk-check task | ||
|
||
## Description: | ||
|
||
The sast-snyk-check task uses Snyk Code tool to perform Static Application Security Testing (SAST) for Snyk, a popular cloud-native application security platform. | ||
|
||
Snyk's SAST tool uses a combination of static analysis and machine learning techniques to scan an application's source code for potential security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks. | ||
|
||
> NOTE: This task is executed only if the user provides a Snyk token stored in a secret in their namespace. The name of the secret then needs to be supplied in the `snyk-secret` pipeline parameter. | ||
## Params: | ||
|
||
| name | description | | ||
|-------------|-------------------------------------------| | ||
| SNYK_SECRET | Name of secret which contains Snyk token. | | ||
| ARGS | Append arguments. | | ||
| SEVERITY_THRESHOLD | Only vulnerabilities of the specified level or higher are reported (Possible values are low, medium or high) | | ||
|
||
## How to obtain a snyk-token and enable snyk task on the pipeline: | ||
|
||
Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) | ||
|
||
## Results: | ||
|
||
| name | description | | ||
|-----------------------|--------------------------| | ||
| TEST_OUTPUT | Tekton task test output. | | ||
|
||
## Source repository for image: | ||
|
||
https://github.com/konflux-ci/konflux-test | ||
|
||
## Additional links: | ||
|
||
* https://snyk.io/product/snyk-code/ | ||
* https://snyk.io/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,139 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: Task | ||
metadata: | ||
labels: | ||
app.kubernetes.io/version: "0.3" | ||
annotations: | ||
tekton.dev/pipelines.minVersion: "0.12.1" | ||
tekton.dev/tags: "konflux" | ||
name: sast-snyk-check | ||
spec: | ||
description: >- | ||
Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. | ||
results: | ||
- description: Tekton task test output. | ||
name: TEST_OUTPUT | ||
params: | ||
- name: SNYK_SECRET | ||
description: Name of secret which contains Snyk token. | ||
default: snyk-secret | ||
- name: ARGS | ||
type: string | ||
description: Append arguments. | ||
default: "" | ||
- description: Image URL. | ||
name: image-url | ||
type: string | ||
# In a future 0.2 version of the task, drop the default to make this required | ||
default: "" | ||
- description: Image digest to report findings for. | ||
name: image-digest | ||
type: string | ||
# In a future 0.2 version of the task, drop the default to make this required | ||
default: "" | ||
- name: SEVERITY_THRESHOLD | ||
type: string | ||
description: Report only vulnerabilities at the specified level or higher (Options are low, medium or high). | ||
default: "high" | ||
volumes: | ||
- name: snyk-secret | ||
secret: | ||
secretName: $(params.SNYK_SECRET) | ||
optional: true | ||
steps: | ||
- name: sast-snyk-check | ||
image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 | ||
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting | ||
# the cluster will set imagePullPolicy to IfNotPresent | ||
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) | ||
volumeMounts: | ||
- name: snyk-secret | ||
mountPath: "/etc/secrets" | ||
readOnly: true | ||
env: | ||
- name: SNYK_SECRET | ||
value: $(params.SNYK_SECRET) | ||
- name: ARGS | ||
value: $(params.ARGS) | ||
- name: SEVERITY_THRESHOLD | ||
value: $(params.SEVERITY_THRESHOLD) | ||
script: | | ||
#!/usr/bin/env bash | ||
set -euo pipefail | ||
. /utils.sh | ||
trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT | ||
SNYK_TOKEN_PATH="/etc/secrets/snyk_token" | ||
if [ -f "${SNYK_TOKEN_PATH}" ] && [ -s "${SNYK_TOKEN_PATH}" ]; then | ||
# SNYK token is provided | ||
SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})" | ||
export SNYK_TOKEN | ||
else | ||
to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)' | ||
note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}" | ||
TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note") | ||
echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" | ||
exit 0 | ||
fi | ||
SNYK_EXIT_CODE=0 | ||
SOURCE_CODE_DIR=$(workspaces.workspace.path) | ||
# shellcheck disable=SC2086 | ||
# We do want to expand ARGS (it can be multiple CLI flags, not just one) | ||
( set -x; snyk code test $ARGS --severity-threshold=$SEVERITY_THRESHOLD "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$?) | ||
test_not_skipped=0 | ||
SKIP_MSG="We found 0 supported files" | ||
grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? | ||
if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then | ||
TEST_OUTPUT= | ||
parse_test_output $(context.task.name) sarif sast_snyk_check_out.json || true | ||
# When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation | ||
elif [[ "$test_not_skipped" -eq 0 ]]; then | ||
note="Task $(context.task.name) success: Snyk code test found zero supported files." | ||
ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") | ||
else | ||
echo "sast-snyk-check test failed because of the following issues:" | ||
cat stdout.txt | ||
note="Task $(context.task.name) failed: For details, check Tekton task log." | ||
ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") | ||
fi | ||
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) | ||
# In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context | ||
( set -x; csgrep --mode=json --prepend-path-prefix=$SOURCE_CODE_DIR/ sast_snyk_check_out.json | csgrep --mode=sarif --embed-context 3 > sast_snyk_check_out.sarif) | ||
- name: upload | ||
image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820 | ||
workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) | ||
env: | ||
- name: IMAGE_URL | ||
value: $(params.image-url) | ||
- name: IMAGE_DIGEST | ||
value: $(params.image-digest) | ||
script: | | ||
#!/usr/bin/env bash | ||
UPLOAD_FILE=sast_snyk_check_out.sarif | ||
MEDIA_TYPE=application/sarif+json | ||
if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then | ||
echo 'No image-url or image-digest param provided. Skipping upload.' | ||
exit 0; | ||
fi | ||
if [ ! -f "${UPLOAD_FILE}" ]; then | ||
echo "No ${UPLOAD_FILE} exists. Skipping upload." | ||
exit 0; | ||
fi | ||
echo "Selecting auth" | ||
select-oci-auth $IMAGE_URL > $HOME/auth.json | ||
echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" | ||
oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" | ||
echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" | ||
oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" | ||
workspaces: | ||
- name: workspace |