Skip to content

Commit

Permalink
feat(STONEINTG-1020): make snyk scan all files
Browse files Browse the repository at this point in the history
  • Loading branch information
@jsztuka
jsztuka committed Aug 20, 2024
1 parent bca9467 commit 59e1d7f
Show file tree
Hide file tree
Showing 16 changed files with 415 additions and 32 deletions.
2 changes: 1 addition & 1 deletion .tekton/pull-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
name: build-definitions-pull-request
annotations:
pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && ( !has(body.pull_request) || !body.pull_request.draft) ) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/"))
pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.1/sast-snyk-check.yaml]"
pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.2/sast-snyk-check.yaml]"
pipelinesascode.tekton.dev/task-2: "yaml-lint"
pipelinesascode.tekton.dev/max-keep-runs: "5"
spec:
Expand Down
6 changes: 3 additions & 3 deletions pipelines/docker-build-oci-ta/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### sast-snyk-check-oci-ta:0.1 task parameters
### sast-snyk-check-oci-ta:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| |
Expand Down Expand Up @@ -216,12 +216,12 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT|
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT|
|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.2:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT|
### push-dockerfile-oci-ta:0.1 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### sast-snyk-check-oci-ta:0.1 task results
### sast-snyk-check-oci-ta:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|TEST_OUTPUT| Tekton task test output.| |
Expand Down
7 changes: 6 additions & 1 deletion pipelines/docker-build-oci-ta/patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,15 @@
- op: add
# In the docker-build Pipeline, the snyk Task does not receive any parameters, so we cannot
# append to it.
path: /spec/tasks/8/params
path: /spec/tasks/8/params/-
value:
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- op: add
path: /spec/tasks/8/params/-
value:
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- op: remove
path: /spec/tasks/8/workspaces/0

Expand Down
12 changes: 6 additions & 6 deletions pipelines/docker-build/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@
|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### sast-snyk-check:0.1 task parameters
### sast-snyk-check:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| |
Expand Down Expand Up @@ -174,9 +174,9 @@
### buildah:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
Expand Down Expand Up @@ -214,7 +214,7 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### sast-snyk-check:0.1 task results
### sast-snyk-check:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|TEST_OUTPUT| Tekton task test output.| |
Expand All @@ -236,7 +236,7 @@
|---|---|---|---|
|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth|
|netrc| |True| prefetch-dependencies:0.1:netrc|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace|
## Available workspaces from tasks
### buildah:0.2 task workspaces
|name|description|optional|workspace from pipeline
Expand All @@ -258,7 +258,7 @@
|name|description|optional|workspace from pipeline
|---|---|---|---|
|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace|
### sast-snyk-check:0.1 task workspaces
### sast-snyk-check:0.2 task workspaces
|name|description|optional|workspace from pipeline
|---|---|---|---|
|workspace| | False| workspace|
Expand Down
12 changes: 6 additions & 6 deletions pipelines/java-builder/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@
|PATH_CONTEXT| The location of the path to run s2i from| .| '$(params.path-context)'|
|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |
|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| |
### sast-snyk-check:0.1 task parameters
### sast-snyk-check:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| |
Expand Down Expand Up @@ -193,12 +193,12 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
### sast-snyk-check:0.1 task results
### sast-snyk-check:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|TEST_OUTPUT| Tekton task test output.| |
Expand All @@ -220,7 +220,7 @@
|---|---|---|---|
|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth|
|netrc| |True| prefetch-dependencies:0.1:netrc|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace|
## Available workspaces from tasks
### git-clone:0.1 task workspaces
|name|description|optional|workspace from pipeline
Expand All @@ -242,7 +242,7 @@
|name|description|optional|workspace from pipeline
|---|---|---|---|
|source| Workspace containing the source code to build.| False| workspace|
### sast-snyk-check:0.1 task workspaces
### sast-snyk-check:0.2 task workspaces
|name|description|optional|workspace from pipeline
|---|---|---|---|
|workspace| | False| workspace|
Expand Down
12 changes: 6 additions & 6 deletions pipelines/nodejs-builder/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@
|PATH_CONTEXT| The location of the path to run s2i from.| .| '$(params.path-context)'|
|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| |
|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| |
### sast-snyk-check:0.1 task parameters
### sast-snyk-check:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| |
Expand Down Expand Up @@ -193,10 +193,10 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
### sast-snyk-check:0.1 task results
|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
### sast-snyk-check:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|TEST_OUTPUT| Tekton task test output.| |
Expand All @@ -218,7 +218,7 @@
|---|---|---|---|
|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth|
|netrc| |True| prefetch-dependencies:0.1:netrc|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace|
## Available workspaces from tasks
### git-clone:0.1 task workspaces
|name|description|optional|workspace from pipeline
Expand All @@ -240,7 +240,7 @@
|name|description|optional|workspace from pipeline
|---|---|---|---|
|source| Workspace containing the source code to build.| False| workspace|
### sast-snyk-check:0.1 task workspaces
### sast-snyk-check:0.2 task workspaces
|name|description|optional|workspace from pipeline
|---|---|---|---|
|workspace| | False| workspace|
Expand Down
12 changes: 6 additions & 6 deletions pipelines/tekton-bundle-builder/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@
|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'|
|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
### sast-snyk-check:0.1 task parameters
### sast-snyk-check:0.2 task parameters
|name|description|default value|already set by|
|---|---|---|---|
|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| |
Expand Down Expand Up @@ -143,7 +143,7 @@
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
### sast-snyk-check:0.1 task results
### sast-snyk-check:0.2 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|TEST_OUTPUT| Tekton task test output.| |
Expand All @@ -155,16 +155,16 @@
### tkn-bundle:0.1 task results
|name|description|used in params (taskname:taskrefversion:taskparam)
|---|---|---|
|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
|IMAGE_REF| Image reference of the built image| |
|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|

## Workspaces
|name|description|optional|used in tasks
|---|---|---|---|
|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth|
|netrc| |True| prefetch-dependencies:0.1:netrc|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace|
|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace|
## Available workspaces from tasks
### git-clone:0.1 task workspaces
|name|description|optional|workspace from pipeline
Expand All @@ -182,7 +182,7 @@
|name|description|optional|workspace from pipeline
|---|---|---|---|
|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace|
### sast-snyk-check:0.1 task workspaces
### sast-snyk-check:0.2 task workspaces
|name|description|optional|workspace from pipeline
|---|---|---|---|
|workspace| | False| workspace|
Expand Down
2 changes: 1 addition & 1 deletion pipelines/template-build/template-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ spec:
- build-container
taskRef:
name: sast-snyk-check
version: "0.1"
version: "0.2"
workspaces:
- name: workspace
workspace: workspace
Expand Down
9 changes: 7 additions & 2 deletions ta-generator/golden/sast-snyk-check/ta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: tekton.dev/v1
kind: Task
metadata:
labels:
app.kubernetes.io/version: "0.1"
app.kubernetes.io/version: "0.2"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/tags: "appstudio, hacbs"
Expand Down Expand Up @@ -33,6 +33,11 @@ spec:
- name: SOURCE_ARTIFACT
type: string
description: The Trusted Artifact URI pointing to the artifact with the application source code.
- name: CACHI2_ARTIFACT
description: The Trusted Artifact URI pointing to the artifact with
the prefetched dependencies.
type: string
default: ""
- name: SNYK_SECRET
description: Name of secret which contains Snyk token.
default: snyk-secret
Expand Down Expand Up @@ -91,7 +96,7 @@ spec:
SNYK_EXIT_CODE=0
SOURCE_CODE_DIR=/var/workdir/source
snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$?
snyk code test "$ARGS" "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$?
test_not_skipped=0
SKIP_MSG="We found 0 supported files"
grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$?
Expand Down
5 changes: 5 additions & 0 deletions task/sast-snyk-check-oci-ta/0.2/MIGRATION.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Migration from 0.1 to 0.2

Inherited from sast-snyk-check task,
Scanned dir `SOURCE_CODE_DIR`=$(workspaces.workspace.path)/source changed to `SOURCE_CODE_DIR`=$(workspaces.workspace.path)
Added `--max-depth=1` option, so snyk is now scanning both source code and dependencies within workspace.
24 changes: 24 additions & 0 deletions task/sast-snyk-check-oci-ta/0.2/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# sast-snyk-check-oci-ta task

Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.

Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline.

The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test

See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.

## Parameters
|name|description|default value|required|
|---|---|---|---|
|ARGS|Append arguments.|--all-projects --exclude=test*,vendor,deps|false|
|SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|image-digest|Image digest to report findings for.|""|false|
|image-url|Image URL.|""|false|

## Results
|name|description|
|---|---|
|TEST_OUTPUT|Tekton task test output.|

Loading

0 comments on commit 59e1d7f

Please sign in to comment.