From 110c06ad8c81676d6ecb0bc9ce446d45366ecaf5 Mon Sep 17 00:00:00 2001 From: maira-samtek Date: Wed, 18 Sep 2024 15:44:22 -0400 Subject: [PATCH] fix(readme): updated ReadME --- README.md | 3 +-- SNYK.md | 5 +---- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cd56f57..28cb71f 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,6 @@ jira-labels: Labels to be applied to the created Jira tickets (c jira-custom-field-key-value: A JSON string containing key-value pairs of custom fields and their values in Jira. assign-jira-ticket-to: The accountID of a user to assigne a ticket to. scan-output-path: The path to the scan output file. -snyk-test-type: The type of Snyk scan being run. Accepts 'open-source', 'iac', or 'container'. Defaults to 'open-source'. min-severity: The minimum severity level a vulnerability must have for a Jira ticket to be created. Accepts 'low', 'medium', 'high', 'critical'. ``` # Usage @@ -57,4 +56,4 @@ jobs: Ensure that you have the required secrets (JIRA_HOST, JIRA_USERNAME, and JIRA_TOKEN) configured in your repository's settings so that they can be accessed by the Action script. -The workflow configuration assumes that you are running the security scan command and saving the output to a file named scan-output.json. Adjust the command and file name according to your specific scan tool and configuration. For more information on how to implement a Snyk scan and use it in conjuction with this action, please view [`SNYK.md`](./SNYK.md). \ No newline at end of file +The workflow configuration assumes that the security scan command is executed, and the output is saved to a file named scan-output.json. The scan test type is automatically detected based on the structure of the scan output for snyk. Currently, supported snyk test types include IaC, open-source, and container scans. You can adjust the command and file name according to your specific scan tool and configuration. For detailed guidance on implementing a Snyk scan and integrating it with this action, please refer to [`SNYK.md`](./SNYK.md). diff --git a/SNYK.md b/SNYK.md index 32bec9c..dfe5010 100644 --- a/SNYK.md +++ b/SNYK.md @@ -110,12 +110,11 @@ First the `snyk` CLI will need to be installed with `npm`. It is then used to ru # assign-jira-ticket-to: '' scan-output-path: 'snyk_output.txt' scan-type: 'snyk' - snyk-test-type: 'iac' min-severity: 'critical' major-version-only: 'true' ``` -Note that the `snyk-test-type` input has been added. Because the output format of each `snyk` command is different, we must specifiy what kind of Snyk scan is being run to successfully parse the output file and create Jira tickets (if no input is provided for `snyk-test-type`, it defaults to `'open-source'`). +Note that the scan type is automatically detected based on the output structure of the snyk command and the supported scan test types are "iac", "open-source" and "container". **Also note:** `snyk iac test` will most likely detect a lot of low and medium severity level vulnerabilities. To keep the Jira ticket creation at a manageable amount, it is advisiable to not set `min-severity` any lower than `'critical'` or `'high'`. @@ -162,7 +161,6 @@ The following example demonstrates how to use `snyk container test` in conjuncti is_jira_enterprise: true scan-output-path: 'snyk_output.txt' scan-type: 'snyk' - snyk-test-type: 'container' min-severity: 'critical' major-version-only: 'true' ``` @@ -230,7 +228,6 @@ This example demonstrates how to scan an image that is stored in an ECR reposito jira-title-prefix: '[CMCSMACD] - Snyk :' is_jira_enterprise: true scan-output-path: 'snyk_output.txt' - snyk-test-type: 'container' ``` ## Exit Codes