Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Self-detecting Snyk Scan Type #46

Merged
merged 3 commits into from
Sep 18, 2024
Merged

Self-detecting Snyk Scan Type #46

merged 3 commits into from
Sep 18, 2024

Conversation

maira-samtek
Copy link
Contributor

No description provided.

yonassrobi
yonassrobi reviewed Sep 18, 2024
View reviewed changes
Copy link

@yonassrobi yonassrobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @maira-samtek.

I see that you have added auto-detection for Snyk scan type. How does the auto-detect work? Is it based on the setting on the Snyk org?

I guess where I’m getting at is …what if an ADO wants to specify only one type of Snyk test (i.e. open-source)? Would they be able to do that only for the JIRA integration?

@maira-samtek
Copy link
Contributor Author

Thanks @maira-samtek.

I see that you have added auto-detection for Snyk scan type. How does the auto-detect work? Is it based on the setting on the Snyk org?

I guess where I’m getting at is …what if an ADO wants to specify only one type of Snyk test (i.e. open-source)? Would they be able to do that only for the JIRA integration?

The current workflow for our Snyk integrations runs a command that checks for vulnerabilities in all the project files in a repository and saves the results in a JSON format. The format of this output changes based on the type of files found.
For example:
If the repository has Infrastructure as Code (like Terraform files), the output will include a section called "infrastructureAsCodeIssues."
If it finds open-source project files (like package.json or nested manifest files), it will list those projects along with their vulnerabilities.
If the output shows vulnerabilities at the first level in the JSON, it’s considered a container scan.
In the mac-fc-embedded here, the package.json is identified as a container scan, while the TMSIS repo here lists multiple projects with vulnerabilities, making it an open-source scan (I've attached screenshots for both cases on slack embedded team channel).
Regarding your question, if a ADO wants specific repo wants to focus only on Infrastructure as Code, they can change the command to run only the IAC test. For instance, you would replace line 22 (snyk test --all-projects --json > snyk_output.txt || true) in the mac-fc-embedded file with: snyk iac test --json > snyk_output.txt || true

@maira-samtek maira-samtek marked this pull request as draft September 18, 2024 14:54
yonassrobi
yonassrobi approved these changes Sep 18, 2024
View reviewed changes
Copy link

@yonassrobi yonassrobi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for adding the additional error messages to make debugging easier for the next time.

@maira-samtek maira-samtek marked this pull request as ready for review September 18, 2024 20:41
@maira-samtek maira-samtek merged commit ba67c24 into main Sep 18, 2024
5 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yonassrobi yonassrobi yonassrobi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maira-samtek @yonassrobi