konflux-ci · dirgim · Jan 15, 2025 · Jan 14, 2025 · Jan 14, 2025
diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md
@@ -219,6 +219,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |---|---|---|---|
 |ARGS| Append arguments.| | |
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md
@@ -216,6 +216,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |---|---|---|---|
 |ARGS| Append arguments.| | |
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md
@@ -191,6 +191,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |name|description|default value|already set by|
 |---|---|---|---|
 |ARGS| Append arguments.| | |
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md
@@ -121,6 +121,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |---|---|---|---|
 |ARGS| Append arguments.| | |
 |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'|
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md
@@ -98,6 +98,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |name|description|default value|already set by|
 |---|---|---|---|
 |ARGS| Append arguments.| | |
+|IGNORE_FILE_PATHS| Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.| | |
 |IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| |
 |KFP_GIT_URL| URL from repository to download known false positives files| | |
 |PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | |

@@ -13,6 +13,7 @@ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information
 |---|---|---|---|
 |ARGS|Append arguments.|""|false|
 |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
+|IGNORE_FILE_PATHS|Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.|""|false|
 |IMP_FINDINGS_ONLY|Report only important findings. Default is true. To report all findings, specify "false"|true|false|
 |KFP_GIT_URL|URL from repository to download known false positives files|""|false|
 |PROJECT_NAME|Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.|""|false|

@@ -27,6 +27,11 @@ spec:
         the prefetched dependencies.
       type: string
       default: ""
+    - name: IGNORE_FILE_PATHS
+      description: Directories or files to be excluded from Snyk scan (Comma-separated).
+        Useful to split the directories of a git repo across multiple components.
+      type: string
+      default: ""
     - name: IMP_FINDINGS_ONLY
       description: Report only important findings. Default is true. To report
         all findings, specify "false"
@@ -109,6 +114,8 @@ spec:
           value: $(params.SNYK_SECRET)
         - name: ARGS
           value: $(params.ARGS)
+        - name: IGNORE_FILE_PATHS
+          value: $(params.IGNORE_FILE_PATHS)
         - name: IMP_FINDINGS_ONLY
           value: $(params.IMP_FINDINGS_ONLY)
         - name: KFP_GIT_URL
@@ -164,6 +171,12 @@ spec:
         if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
           SEVERITY_THRESHOLD="low"
         fi
+
+        # We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.
+        (cd "${SOURCE_CODE_DIR}" && IFS="," && for path in $IGNORE_FILE_PATHS; do
+          snyk ignore --file-path="source/${path}"
+        done)
+
         set +e
         # We do want to expand ARGS (it can be multiple CLI flags, not just one)
         # shellcheck disable=SC2086
@@ -221,8 +234,13 @@ spec:
           supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == "SUPPORTED") | .files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json)
 
           # We make sure the values are 0 if no supported/total files are found
-          total_files=${total_files:-0}
-          supported_files=${supported_files:-0}
+          if [ "$total_files" = "null" ] || [ -z "$total_files" ]; then
+            total_files=0
+          fi
+
+          if [ "$supported_files" = "null" ] || [ -z "$supported_files" ]; then
+            supported_files=0
+          fi
 
           coverage_ratio=0
           if ((total_files > 0)); then

@@ -10,14 +10,15 @@ Snyk's SAST tool uses a combination of static analysis and machine learning tech
 
 ## Params:
 
-| name                  | description                                                                                                        | default value                                             | required |
-|-----------------------|--------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|----------|
-| SNYK_SECRET           | Name of secret which contains Snyk token.                                                                          | snyk-secret                                               | true     |
-| ARGS                  | Append arguments.                                                                                                  | ""                                                        | false    |
-| IMP_FINDINGS_ONLY     | Report only important findings.  To report all findings, specify "false"                                           | true                                                      | true     |
-| KFP_GIT_URL           | Link to the known-false-positives repository. If left blank, results won't be filtered                             | ""                                                        | false    |
-| PROJECT_NAME          | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.    | ${metadata.labels['appstudio.openshift.io/component']}    | false    |
-| RECORD_EXCLUDED       | Write excluded records in file. Useful for auditing.                                                               | false                                                     | false    |
+| name               | description                                                                                                                                      | default value | required |
+|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|
+| SNYK_SECRET        | Name of secret which contains Snyk token.                                                                                                        | snyk-secret   | true     |
+| ARGS               | Append arguments.                                                                                                                                | ""            | false    |
+| IGNORE_FILE_PATHS  | Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.  | ""            | false    |
+| IMP_FINDINGS_ONLY  | Report only important findings.  To report all findings, specify "false"                                                                         | true          | true     |
+| KFP_GIT_URL        | Link to the known-false-positives repository. If left blank, results won't be filtered                                                           | ""            | false    |
+| PROJECT_NAME       | Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.                                  | ""            | false    |
+| RECORD_EXCLUDED    | Write excluded records in file. Useful for auditing.                                                                                             | false         | false    |
 
 ## How to obtain a snyk-token and enable snyk task on the pipeline:
 

@@ -57,6 +57,10 @@ spec:
       type: string
       description: Write excluded records in file. Useful for auditing (defaults to false).
       default: "false"
+    - name: IGNORE_FILE_PATHS
+      type: string
+      description: Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.
+      default: ""
   volumes:
     - name: snyk-secret
       secret:
@@ -87,6 +91,8 @@ spec:
           value: $(params.SNYK_SECRET)
         - name: ARGS
           value: $(params.ARGS)
+        - name: IGNORE_FILE_PATHS
+          value: $(params.IGNORE_FILE_PATHS)
         - name: IMP_FINDINGS_ONLY
           value: $(params.IMP_FINDINGS_ONLY)
         - name: KFP_GIT_URL
@@ -142,6 +148,12 @@ spec:
         if [ "${IMP_FINDINGS_ONLY}" == "false" ]; then
           SEVERITY_THRESHOLD="low"
         fi
+
+        # We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.
+        (cd "${SOURCE_CODE_DIR}" && IFS="," && for path in $IGNORE_FILE_PATHS; do
+          snyk ignore --file-path="source/${path}"
+        done)
+
         set +e
         # We do want to expand ARGS (it can be multiple CLI flags, not just one)
         # shellcheck disable=SC2086
@@ -199,8 +211,13 @@ spec:
           supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == "SUPPORTED") | .files] | add' "${SOURCE_CODE_DIR}"/sast_snyk_check_out.json)
 
           # We make sure the values are 0 if no supported/total files are found
-          total_files=${total_files:-0}
-          supported_files=${supported_files:-0}
+          if [ "$total_files" = "null" ] || [ -z "$total_files" ]; then
+            total_files=0
+          fi
+
+          if [ "$supported_files" = "null" ] || [ -z "$supported_files" ]; then
+            supported_files=0
+          fi
 
           coverage_ratio=0
           if (( total_files > 0 )); then