sast-snyk-check: added feature to ignore directories and files

Resolves: https://issues.redhat.com/browse/OSH-795

The parameter IGNORE has been added where users can input a list of files and directories (comma-separated) and they will be ignored using the snyk ignore functionality

Author: jperezdealgaba

pipelines/docker-build-multi-platform-oci-ta/README.md

@@ -219,6 +219,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |---|---|---|---|
 |ARGS| Append arguments.| | |
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

pipelines/docker-build-oci-ta/README.md

@@ -216,6 +216,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |---|---|---|---|
 |ARGS| Append arguments.| | |
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

pipelines/docker-build/README.md

@@ -191,6 +191,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |name|description|default value|already set by|
 |---|---|---|---|
 |ARGS| Append arguments.| | |
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

pipelines/maven-zip-build-oci-ta/README.md

@@ -121,6 +121,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |---|---|---|---|
 |ARGS| Append arguments.| | |
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

pipelines/maven-zip-build/README.md

@@ -98,6 +98,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |name|description|default value|already set by|
 |---|---|---|---|
 |ARGS| Append arguments.| | |
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

task/sast-snyk-check-oci-ta/0.3/README.md

@@ -13,6 +13,7 @@ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information
 |---|---|---|---|
 |ARGS|Append arguments.|""|false|
 |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
+|IGNORE_FILE_PATHS|Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.|""|false|
 |IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false|
 |KFP_GIT_URL|URL from repository to download known false positives files|""|false|
 |PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false|

task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml

@@ -27,6 +27,11 @@ spec:
         the prefetched dependencies.
       type: string
       default: ""
+    - name: IGNORE_FILE_PATHS
+      description: Directories or files to be excluded from Snyk scan (Comma-separated).
+        Useful to split the directories of a git repo across multiple components.
+      type: string
+      default: ""
     - name: IMP_FINDINGS_ONLY
       description: Report only important findings. Default is true. To report
         all findings, specify "false"
@@ -109,6 +114,8 @@ spec:
           value: $(params.SNYK_SECRET)
         - name: ARGS
           value: $(params.ARGS)
+        - name: IGNORE_FILE_PATHS
+          value: $(params.IGNORE_FILE_PATHS)
         - name: IMP_FINDINGS_ONLY
           value: $(params.IMP_FINDINGS_ONLY)
         - name: KFP_GIT_URL
@@ -164,6 +171,15 @@ spec:
         if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
           SEVERITY_THRESHOLD="low"
         fi
+
+        # We ignore files using snyk ignore if the user set up the IGNORE variable
+        if [[ -n "${IGNORE_FILE_PATHS}" ]]; then
+          paths="(${IGNORE_FILE_PATHS//,/ })" # Split by comma into an array
+          for path in "${paths[@]}"; do
+            (cd "${SOURCE_CODE_DIR}" && snyk ignore --file-path=source/"$path")
+          done
+        fi
+
         set +e
         # We do want to expand ARGS (it can be multiple CLI flags, not just one)
         # shellcheck disable=SC2086

task/sast-snyk-check/0.3/README.md

@@ -10,14 +10,15 @@ Snyk's SAST tool uses a combination of static analysis and machine learning tech
 
 ## Params:
 
-| name                  | description                                                                                                        | default value                                             | required |
-|-----------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|----------|
-| SNYK_SECRET           | Name of secret which contains Snyk token.                                                                          | snyk-secret                                               | true     |
-| ARGS                  | Append arguments.                                                                                                  | ""                                                        | false    |
-| IMP_FINDINGS_ONLY     | Report only important findings.  To report all findings, specify "false"                                           | true                                                      | true     |
-| KFP_GIT_URL           | Link to the known-false-positives repository. If left blank, results won't be filtered                             | ""                                                        | false    |
-| PROJECT_NAME          | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.    | ${metadata.labels['appstudio.openshift.io/component']}    | false    |
-| RECORD_EXCLUDED       | Write excluded records in file. Useful for auditing.                                                               | false                                                     | false    |
+| name               | description                                                                                                                                      | default value | required |
+|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|
+| SNYK_SECRET        | Name of secret which contains Snyk token.                                                                                                        | snyk-secret   | true     |
+| ARGS               | Append arguments.                                                                                                                                | ""            | false    |
+| IGNORE_FILE_PATHS  | Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.  | ""            | false    |
+| IMP_FINDINGS_ONLY  | Report only important findings.  To report all findings, specify "false"                                                                         | true          | true     |
+| KFP_GIT_URL        | Link to the known-false-positives repository. If left blank, results won't be filtered                                                           | ""            | false    |
+| PROJECT_NAME       | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.                                  | ""            | false    |
+| RECORD_EXCLUDED    | Write excluded records in file. Useful for auditing.                                                                                             | false         | false    |
 
 ## How to obtain a snyk-token and enable snyk task on the pipeline:
 

task/sast-snyk-check/0.3/sast-snyk-check.yaml

@@ -57,6 +57,10 @@ spec:
       type: string
       description: Write excluded records in file. Useful for auditing (defaults to false).
       default: "false"
+    - name: IGNORE_FILE_PATHS
+      type: string
+      description: Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.
+      default: ""
   volumes:
     - name: snyk-secret
       secret:
@@ -87,6 +91,8 @@ spec:
           value: $(params.SNYK_SECRET)
         - name: ARGS
           value: $(params.ARGS)
+        - name: IGNORE_FILE_PATHS
+          value: $(params.IGNORE_FILE_PATHS)
         - name: IMP_FINDINGS_ONLY
           value: $(params.IMP_FINDINGS_ONLY)
         - name: KFP_GIT_URL
@@ -142,6 +148,15 @@ spec:
         if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
           SEVERITY_THRESHOLD="low"
         fi
+
+        # We ignore files using snyk ignore if the user set up the IGNORE variable
+        if [[ -n "${IGNORE_FILE_PATHS}" ]]; then
+          paths="(${IGNORE_FILE_PATHS//,/ })" # Split by comma into an array
+          for path in "${paths[@]}"; do
+            (cd "${SOURCE_CODE_DIR}" && snyk ignore --file-path=source/"$path")
+          done
+        fi
+
         set +e
         # We do want to expand ARGS (it can be multiple CLI flags, not just one)
         # shellcheck disable=SC2086