Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update SNYK.md with documentation on handling different exit codes #39

Merged
merged 1 commit into from
Mar 14, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 80 additions & 9 deletions SNYK.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,17 @@ Currently, the `macfc-security-scan-report` action supports Jira Ticket creation

```
- name: Install Snyk and Run Snyk test
id: snyk_test
run: |
npm install -g snyk
snyk test --all-projects --json > snyk_output.txt || true
snyk test --all-projects --json > snyk_output.txt || echo exit_code=$? >> "$GITHUB_OUTPUT"
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Handle other exit codes here (see 'Exit Codes' section below)

- name: use macfc-security-scan-report action to parse Snyk output
if: steps.snyk_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_TOKEN }}
Expand All @@ -82,13 +86,17 @@ First the `snyk` CLI will need to be installed with `npm`. It is then used to ru

```
- name: Install Snyk and Run Snyk test
id: snyk_iac_test
run: |
npm install -g snyk
snyk iac test > snyk_output.txt || true
snyk iac test > snyk_output.txt || echo exit_code=$? >> "$GITHUB_OUTPUT"
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Handle other exit codes here (see 'Exit Codes' section below)

- name: use macfc-security-scan-report action to parse Snyk output
if: steps.snyk_iac_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_TOKEN }}
Expand Down Expand Up @@ -127,17 +135,21 @@ The following example demonstrates how to use `snyk container test` in conjuncti
uses: aws-actions/amazon-ecr-login@v2

- name: Install Snyk and Run Snyk test
id: snyk_container_test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
REGISTRY: ${{ steps.ecr-login.outputs.registry }}
REPOSITORY: my-ecr-repo
IMAGE_TAG: latest
run: |
npm install -g snyk
snyk container test $REGISTRY/$REPOSITORY:$IMAGE_TAG --json > snyk_output.txt || true
snyk container test $REGISTRY/$REPOSITORY:$IMAGE_TAG --json > snyk_output.txt || echo exit_code=$? >> "$GITHUB_OUTPUT"

# Handle other exit codes (see 'Exit Codes' section below)

- name: Use Github Action to parse Snyk output
uses: Enterprise-CMCS/macfc-security-scan-report@hms-snyk-updates-b
if: steps.snyk_container_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_SNYK_TOKEN }}
jira-host: ${{ secrets.JIRA_HOST_NAME }}
Expand All @@ -160,13 +172,17 @@ This example demonstrates how to scan an image that is stored in an ECR reposito
# First run `snyk test` and create Jira tickets

- name: Install Snyk and Run Snyk test
id: snyk_test
run: |
npm install -g snyk
snyk test --all-projects --json > snyk_output.txt || true
snyk test --all-projects --json > snyk_output.txt || echo exit_code=$? >> "$GITHUB_OUTPUT"
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Handle other exit codes here (see 'Exit Codes' section below)

- name: use macfc-security-scan-report action to parse Snyk Test output
if: steps.snyk_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_TOKEN }}
Expand All @@ -187,17 +203,21 @@ This example demonstrates how to scan an image that is stored in an ECR reposito
uses: aws-actions/amazon-ecr-login@v2

- name: Install Snyk and Run Snyk test
id: snyk_container_test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
REGISTRY: ${{ steps.ecr-login.outputs.registry }}
REPOSITORY: my-ecr-repo
IMAGE_TAG: latest
run: |
npm install -g snyk
snyk container test $REGISTRY/$REPOSITORY:$IMAGE_TAG --json > snyk_output.txt || true
snyk container test $REGISTRY/$REPOSITORY:$IMAGE_TAG --json > snyk_output.txt || echo exit_code=$? >> "$GITHUB_OUTPUT"

# Handle other exit codes here (see 'Exit Codes' section below)

- name: Use Github Action to parse Snyk Container Test output
uses: Enterprise-CMCS/macfc-security-scan-report@hms-snyk-updates-b
if: steps.snyk_container_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_SNYK_TOKEN }}
jira-host: ${{ secrets.JIRA_HOST_NAME }}
Expand All @@ -210,6 +230,54 @@ This example demonstrates how to scan an image that is stored in an ECR reposito
snyk-test-type: 'container'
```

## Exit Codes
Each `snyk` command will return an exit code from 0 to 3. In all the above examples, by appending `|| echo exit_code=$? >> "$GITHUB_OUTPUT"` to each `snyk` command, the exit code is being set as an output variable that can then be referenced in subsequent steps. It is advisable to handle each different exit code when using Snyk in conjunction with this action. Below is an example of how to do this using the `snyk test` command:

```
- name: Install Snyk and Run Snyk test
id: snyk_test
run: |
npm install -g snyk
snyk test --all-projects --json > snyk_output.json || echo exit_code=$? >> "$GITHUB_OUTPUT"
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Exit code 0 implies no vulnerabilities were found and no errors occurred; exit action successfully
- name: No Vulnerabilities found, exit successfully
if: steps.snyk_test.outputs.exit_code == '0'
run: exit 0

# Exit code 1 implies vulnerabilities were found; run step to create Jira tickets
- name: Vulnerabilities found; create Jira tickets
if: steps.snyk_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_SNYK_TOKEN }}
jira-host: ${{ secrets.JIRA_HOST_NAME }}
jira-project-key: 'CMCSMACD'
jira-issue-type: 'Bug'
jira-labels: 'CMCSMACD,snyk'
jira-title-prefix: '[CMCSMACD] - Snyk :'
is_jira_enterprise: true
assign-jira-ticket-to: 'SYQC'
scan-output-path: 'snyk_output.json'
scan-type: 'snyk'
min-severity: 'medium'

# Exit code 2 implies errors occured during the scan; output the contents of snyk_output.json to examine the errors
- name: Scan failed; log errors
if: steps.snyk_test.outputs.exit_code == '2'
run: |
cat snyk_output.json
exit 1

# Exit code 3 implies no projects detected
- name: No supported projects detected
if: steps.snyk_test.outputs.exit_code == '3'
run: |
exit 1
```


## Triggers

Expand All @@ -225,7 +293,6 @@ on:

This activates the Snyk scan whenever a Pull Request is opened as well as at a regular interval at the time specified. A full workflow with both of these triggers could be written as follows:


```
on:
pull_request:
Expand Down Expand Up @@ -259,14 +326,18 @@ snyk_nightly_run:
uses: actions/checkout@v3

- name: Install Snyk and Run Snyk test
id: snyk_test
run: |
npm install -g snyk
snyk test --all-projects --json > snyk_output.txt || true
snyk test --all-projects --json > snyk_output.txt || echo exit_code=$? >> "$GITHUB_OUTPUT"
cat snyk_output.txt
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

# Handle other exit codes...

- name: use macfc-security-scan-report action to parse Snyk output
if: steps.snyk_test.outputs.exit_code == '1'
uses: Enterprise-CMCS/[email protected]
with:
jira-token: ${{ secrets.JIRA_TOKEN }}
Expand Down
Loading