You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/testing/pages/build/snyk.adoc
+29-15Lines changed: 29 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,26 +6,39 @@ The `sast-snyk-check` task uses the Snyk Code tool to perform static application
6
6
Specifically, the Snyk check scans an application's source code for potential security vulnerabilities,
7
7
including SQL injection, cross-site scripting (XSS), and code injection attack vulnerabilities.
8
8
9
-
NOTE: You can run a Snyk task only if you have a Snyk token configured in a namespace secret. Ensure that the name of your secret is included in the *snyk-secret* pipeline parameter.
9
+
[NOTE]
10
+
====
11
+
You can run a Snyk task only if you have a Snyk token configured in a namespace secret. Ensure that the name of your secret is included in the *snyk-secret* pipeline parameter.
12
+
====
10
13
11
14
.Procedure
12
15
13
16
. Register for a Snyk account or log in at https://app.snyk.io/.
14
-
. Get a Snyk token.
15
-
16
-
.. In the lower left of the home page, click your name, then select *Account settings*.
17
-
18
-
.. From the Account Settings page, select *General*, which is the default, then *Auth Token*.
19
-
20
-
.. Under the *Auth Token* section, click *Click to View* to see the *KEY* value of the automatically generated token.
17
+
. Create a Snyk token using a Service Account.
18
+
+
19
+
[NOTE]
20
+
====
21
+
To create a Service Account token at the Organization level, you must have the **Org Admin** role in Snyk. If you do not have the required permissions, use your individual API token instead.
22
+
====
23
+
24
+
.. Select the correct **Group** and then select the **Organization** that you want to work with from the left navigation panel.
25
+
.. Verify your required access level by clicking the **Members** button.
26
+
.. Click **Settings** and then select **Service accounts** from the menu next to it.
27
+
.. In the *Create a new service account* section, give the service account a meaningful **Name** and select the appropriate **Role** from the drop-down menu (e.g., *Org Collaborator*).
28
+
.. Click the **Create** button.
29
+
.. Copy the generated **API Token**. This token is visible only once; secure it before clicking **Close and hide**.
21
30
22
31
. Enable Snyk Code.
32
+
+
33
+
Snyk Code must be enabled within your Organization settings for the SAST scan to function. Due to UI variations, use one of the following methods:
23
34
35
+
* __Recommended (via Import flow):__
36
+
.. Click the *Home* icon under your Organization, then select *Import projects*.
37
+
.. In the third section, *Configure automation settings & authenticate*, ensure the **Snyk Code** checkbox is checked.
38
+
* __Alternative (via Settings):__
24
39
.. From the left panel, go to *Settings* > *Snyk Code*, then scroll to the *Enable Snyk Code* section.
25
-
26
40
.. Toggle *Disabled* to *Enabled*.
27
-
28
-
.. Click *Save* changes.
41
+
.. Click *Save changes*.
29
42
30
43
. Add your new secret to your tenant namespace.
31
44
@@ -46,13 +59,14 @@ NOTE: You can run a Snyk task only if you have a Snyk token configured in a name
46
59
... Paste your Snyk token into the *Upload the file with value for your key or paste its contents* field.
47
60
... Click *Add secret* to save it.
48
61
49
-
You've enabled the Snyk task for your build pipeline.
62
+
You have now enabled the Snyk task for your build pipeline.
50
63
51
-
In case multiple components are maintained in a single git repository, Snyk Code is unable to distinguish which directories contain the source code for which component. Consequently, Snyk Code reports duplicated findings because it always scans the whole git repository rather than scanning each component separately. As a workaround for this limitation of Snyk Code, one can use the `IGNORE_FILE_PATHS` parameter of the sast-snyk-check task to specify which directories should be ignored while scanning a specific component. Namely, one can use the parameter to make Snyk Code ignore directories that are used for build of other components maintained in the same git repository.
64
+
In case multiple components are maintained in a single git repository, Snyk Code is unable to distinguish which directories contain the source code for which component. Consequently, Snyk Code reports duplicated findings because it always scans the whole git repository rather than scanning each component separately. As a workaround for this limitation of Snyk Code, use the `IGNORE_FILE_PATHS` parameter of the sast-snyk-check task to specify which directories should be ignored while scanning a specific component. Namely, use the parameter to make Snyk Code ignore directories that are used for build of other components maintained in the same git repository.
52
65
53
66
This parameter takes a list of comma-separated file paths (directories and files) to be ignored.
54
67
55
-
Example:
68
+
.Example: IGNORE_FILE_PATHS parameter
69
+
[source,yaml]
56
70
----
57
71
- name: IGNORE_FILE_PATHS
58
72
value: "tests/,Dockerfile,README.md"
@@ -63,4 +77,4 @@ This action will make use of the `snyk ignore` command.
63
77
[role="_additional-resources"]
64
78
== Additional resources
65
79
66
-
For more information about Snyk, see link:https://snyk.io/product/snyk-code/[the Snyk website].
0 commit comments