Skip to content

Commit

Permalink
integrate with snyk
Browse files Browse the repository at this point in the history
  • Loading branch information
farrell-m committed Dec 20, 2024
1 parent 5eb3b8b commit d16697b
Show file tree
Hide file tree
Showing 5 changed files with 170 additions and 0 deletions.
26 changes: 26 additions & 0 deletions .github/workflows/pr-merge-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,29 @@ jobs:
with:
arguments: release -Prelease.useAutomaticVersion=true

vulnerability-report:
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest

env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG: legal-aid-agency
SNYK_TEST_EXCLUDE: build,generated

steps:
- uses: actions/checkout@v3
- name: Generate Snyk report and upload to LAA Dashboard
uses: snyk/actions/[email protected]
continue-on-error: true
with:
command: monitor
args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE
- name: Generate sarif Snyk report
uses: snyk/actions/[email protected]
continue-on-error: true
with:
args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE --sarif-file-output=snyk-report.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-report.sarif
31 changes: 31 additions & 0 deletions .github/workflows/push-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,34 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

vulnerability-scan:
runs-on: ubuntu-latest

env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG: legal-aid-agency
SNYK_TEST_EXCLUDE: build,generated

steps:
- uses: actions/checkout@v3
- name: Set up JDK 21
uses: actions/setup-java@v3
with:
java-version: '21'
distribution: 'temurin'
- uses: snyk/actions/[email protected]
- name: Install snyk-delta
run: |
npm config set prefix '~/.local/'
mkdir -p ~/.local/bin
export PATH="$HOME/.local/bin/:$PATH"
npm install -g snyk-delta
- name: Identify new vulnerabilities
run: ./snyk/snyk_delta_all_projects.sh --org=$SNYK_ORG --exclude=$SNYK_TEST_EXCLUDE
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run code test
uses: snyk/actions/[email protected]
with:
command: code test
args: --org=${SNYK_ORG}
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,6 @@ test-results/
# Project
data-api/src/main/resources/application-secret.yml
data-service/src/main/resources/application-secret.yml

# Snyk
.dccache
8 changes: 8 additions & 0 deletions .snyk
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.1
ignore: {}
patch: {}
exclude:
global:
- data-service/src/test
- data-service/src/integrationTest
102 changes: 102 additions & 0 deletions snyk/snyk_delta_all_projects.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
#!/bin/bash


# Copyright 2018 Snyk Ltd.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Permalink: https://github.com/snyk-tech-services/snyk-delta/blob/1a45cc1ec6b390d8e1b266b157e00453a4d12eb5/snyk_delta_all_projects.sh

# Call this script as you would call snyk test | snyk-delta, minus the --all-projects and --json flags
# This is an interim fix until snyk-delta supports all projects itself (or snyk supports a --new flag)
# example: /bin/bash snyk_delta_all_projects.sh --severity=high --exclude=tests,resources -- -s config.yaml
# runs snyk test --all-projects --json $*
# requires jq to be installed

set -euo pipefail

exit_code=0
snyk_test_json=''
formatted_json=''
args=("$*")

run_snyk_delta () {
# add in any other arguments you would like to use
snyk-delta
}

run_snyk_test () {
echo "Running: snyk test --all-projects --json" $args
local snyk_exit_code=0
{

snyk_test_json=`snyk test --all-projects --json $args`

} || {
snyk_exit_code=$?
if [ $snyk_exit_code -eq 2 ]
then
echo 'snyk test command was not successful, retry with -d to see more information'
exit 2
fi
}


}

format_snyk_test_output() {
echo "Processing snyk test --json output"
{
formatted_json=`echo $snyk_test_json | jq -r 'if type=="array" then .[] else . end | @base64'`
} || {
echo 'failed to process snyk-test result'
exit 2
}
}


#######
# 1. run snyk test
run_snyk_test

# 2. format results to support single & multiple results returned
format_snyk_test_output

# 3. call snyk-delta for each result
for test in `echo $formatted_json`; do
single_result="$(echo ${test} | base64 -d)" # use "base64 -d -i" on Windows, which will ignore any "gardage" characters echoing may add
project_name="$(echo ${single_result} | jq -r '.displayTargetFile')"
echo 'Processing: ' ${project_name}
if echo ${single_result} | run_snyk_delta
then
project_exit_code=$?
echo 'Finished processing'
else
project_exit_code=$?
if [ $project_exit_code -gt 1 ]
then
echo 'snyk-delta encountered an error, retrying.'
echo ${single_result} | run_snyk_delta
fi
echo 'Finished processing'
fi

if [ $project_exit_code -gt $exit_code ]
then
exit_code=$project_exit_code
fi
echo "Project: ${project_name} | Exit code: ${project_exit_code}"
done

echo "Overall exit code for snyk-delta-all-projects.sh: ${exit_code}"
exit $exit_code

0 comments on commit d16697b

Please sign in to comment.