Skip to content

Commit

Permalink
sast-snyk-check: added feature to ignore directories and files
Browse files Browse the repository at this point in the history
Resolves: https://issues.redhat.com/browse/OSH-795

The parameter IGNORE has been added where users can input a list of files and directories (comma-separated) and they will be ignored using the snyk ignore functionality
  • Loading branch information
jperezdealgaba committed Jan 10, 2025
1 parent a07704d commit d704020
Show file tree
Hide file tree
Showing 9 changed files with 46 additions and 8 deletions.
1 change: 1 addition & 0 deletions pipelines/docker-build-multi-platform-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|---|---|---|---|
|ARGS| Append arguments.| | |
|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
|KFP_GIT_URL| URL from repository to download known false positives files| | |
|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|---|---|---|---|
|ARGS| Append arguments.| | |
|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
|KFP_GIT_URL| URL from repository to download known false positives files| | |
|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |
Expand Down
1 change: 1 addition & 0 deletions pipelines/docker-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| | |
|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
|KFP_GIT_URL| URL from repository to download known false positives files| | |
|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |
Expand Down
1 change: 1 addition & 0 deletions pipelines/maven-zip-build-oci-ta/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|---|---|---|---|
|ARGS| Append arguments.| | |
|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
|KFP_GIT_URL| URL from repository to download known false positives files| | |
|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |
Expand Down
1 change: 1 addition & 0 deletions pipelines/maven-zip-build/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| | |
|IGNORE| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
|KFP_GIT_URL| URL from repository to download known false positives files| | |
|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |
Expand Down
1 change: 1 addition & 0 deletions task/sast-snyk-check-oci-ta/0.3/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information
|---|---|---|---|
|ARGS|Append arguments.|""|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|IGNORE|Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.|""|false|
|IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false|
|KFP_GIT_URL|URL from repository to download known false positives files|""|false|
|PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false|
Expand Down
16 changes: 16 additions & 0 deletions task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ spec:
the prefetched dependencies.
type: string
default: ""
- name: IGNORE_FILE_PATHS
description: Directories or files to be excluded from Snyk scan (Comma-separated).
Useful to split the directories of a git repo across multiple components.
type: string
default: ""
- name: IMP_FINDINGS_ONLY
description: Report only important findings. Default is true. To report
all findings, specify "false"
Expand Down Expand Up @@ -109,6 +114,8 @@ spec:
value: $(params.SNYK_SECRET)
- name: ARGS
value: $(params.ARGS)
- name: IGNORE_FILE_PATHS
value: $(params.IGNORE_FILE_PATHS)
- name: IMP_FINDINGS_ONLY
value: $(params.IMP_FINDINGS_ONLY)
- name: KFP_GIT_URL
Expand Down Expand Up @@ -164,6 +171,15 @@ spec:
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
SEVERITY_THRESHOLD="low"
fi
# We ignore files using snyk ignore if the user set up the IGNORE variable
if [[ -n "${IGNORE_FILE_PATHS}" ]]; then
paths="(${IGNORE_FILE_PATHS//,/ })" # Split by comma into an array
for path in "${paths[@]}"; do
(cd "${SOURCE_CODE_DIR}" && snyk ignore --file-path=source/$path)
done
fi
set +e
# We do want to expand ARGS (it can be multiple CLI flags, not just one)
# shellcheck disable=SC2086
Expand Down
17 changes: 9 additions & 8 deletions task/sast-snyk-check/0.3/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,15 @@ Snyk's SAST tool uses a combination of static analysis and machine learning tech
## Params:

| name | description | default value | required |
|-----------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|----------|
| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | true |
| ARGS | Append arguments. | "" | false |
| IMP_FINDINGS_ONLY | Report only important findings. To report all findings, specify "false" | true | true |
| KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | false |
| PROJECT_NAME | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used. | ${metadata.labels['appstudio.openshift.io/component']} | false |
| RECORD_EXCLUDED | Write excluded records in file. Useful for auditing. | false | false |
| name | description | default value | required |
|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|
| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | true |
| ARGS | Append arguments. | "" | false |
| IGNORE | Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components. | "" | false |
| IMP_FINDINGS_ONLY | Report only important findings. To report all findings, specify "false" | true | true |
| KFP_GIT_URL | Link to the known-false-positives repository. If left blank, results won't be filtered | "" | false |
| PROJECT_NAME | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used. | "" | false |
| RECORD_EXCLUDED | Write excluded records in file. Useful for auditing. | false | false |

## How to obtain a snyk-token and enable snyk task on the pipeline:

Expand Down
15 changes: 15 additions & 0 deletions task/sast-snyk-check/0.3/sast-snyk-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ spec:
type: string
description: Write excluded records in file. Useful for auditing (defaults to false).
default: "false"
- name: IGNORE_FILE_PATHS
type: string
description: Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.
default: ""
volumes:
- name: snyk-secret
secret:
Expand Down Expand Up @@ -87,6 +91,8 @@ spec:
value: $(params.SNYK_SECRET)
- name: ARGS
value: $(params.ARGS)
- name: IGNORE_FILE_PATHS
value: $(params.IGNORE_FILE_PATHS)
- name: IMP_FINDINGS_ONLY
value: $(params.IMP_FINDINGS_ONLY)
- name: KFP_GIT_URL
Expand Down Expand Up @@ -142,6 +148,15 @@ spec:
if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
SEVERITY_THRESHOLD="low"
fi
# We ignore files using snyk ignore if the user set up the IGNORE variable
if [[ -n "${IGNORE_FILE_PATHS}" ]]; then
paths="(${IGNORE_FILE_PATHS//,/ })" # Split by comma into an array
for path in "${paths[@]}"; do
(cd "${SOURCE_CODE_DIR}" && snyk ignore --file-path=source/$path)
done
fi
set +e
# We do want to expand ARGS (it can be multiple CLI flags, not just one)
# shellcheck disable=SC2086
Expand Down

0 comments on commit d704020

Please sign in to comment.