use snyk target reference

ministryofjustice · Feb 10, 2025 · f02a1cd · f02a1cd
1 parent 8e92cf4
commit f02a1cd
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 3 deletions.
diff --git a/.github/workflows/pr-merge-main.yml b/.github/workflows/pr-merge-main.yml
@@ -69,6 +69,7 @@ jobs:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       SNYK_ORG: legal-aid-agency
       SNYK_TEST_EXCLUDE: build,generated
+      SNYK_TARGET_REFERENCE: main
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
     steps:
@@ -78,12 +79,12 @@ jobs:
         continue-on-error: true
         with:
           command: monitor
-          args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE
+          args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE
       - name: Generate sarif Snyk report
         uses: snyk/actions/gradle@0.4.0
         continue-on-error: true
         with:
-          args: --org=$SNYK_ORG --all-projects --exclude=$SNYK_TEST_EXCLUDE --sarif-file-output=snyk-report.sarif
+          args: --org=$SNYK_ORG --all-projects --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE --sarif-file-output=snyk-report.sarif
       - name: Fix undefined values
         run: |
           cat snyk-report.sarif | jq '

diff --git a/.github/workflows/push-branch.yml b/.github/workflows/push-branch.yml
@@ -64,6 +64,7 @@ jobs:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
       SNYK_ORG: legal-aid-agency
       SNYK_TEST_EXCLUDE: build,generated
+      SNYK_TARGET_REFERENCE: main
 
     steps:
       - uses: actions/checkout@v3
@@ -80,7 +81,7 @@ jobs:
           export PATH="$HOME/.local/bin/:$PATH"
           npm install -g snyk-delta
       - name: Identify new vulnerabilities
-        run: ./snyk/snyk_delta_all_projects.sh --org=$SNYK_ORG --exclude=$SNYK_TEST_EXCLUDE
+        run: ./snyk/snyk_delta_all_projects.sh --org=$SNYK_ORG --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Run code test

diff --git a/README.md b/README.md
@@ -21,3 +21,61 @@ This API uses components from the [LAA CCMS Common Library](https://github.com/m
 
 - [laa-ccms-spring-boot-plugin](https://github.com/ministryofjustice/laa-ccms-spring-boot-common?tab=readme-ov-file#laa-ccms-spring-boot-gradle-plugin-for-java--spring-boot-projects)
 - [laa-ccms-spring-boot-starter-auth](https://github.com/ministryofjustice/laa-ccms-spring-boot-common/tree/main/laa-ccms-spring-boot-starters/laa-ccms-spring-boot-starter-auth)
+
+## Snyk code analysis (CI/CD)
+This project publishes vulnerability scans to the [LAA Snyk Dashboard (Google SSO)](https://app.snyk.io/org/legal-aid-agency).
+
+If you cannot see the LAA organisation when logged into the dashboard,
+please ask your lead developer/architect to have you added.
+
+Scans will be triggered in two ways:
+
+- Main branch - on commit, a vulnerability scan will be run and published to both the Snyk
+  server and GitHub Code Scanning. Vulnerabilites will not fail the build.
+- Feature branches - on commit, a vulnerability scan will be run to identify any new
+  vulnerabilites (compared to the main branch). If new vulnerabilites have been raised. A code
+  scan will also run to identify known security issues within the source code. If any issues are
+  found, the build will fail.
+
+### Running Snyk locally
+To run Snyk locally, you will need to [install the Snyk CLI](https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli).
+
+Once installed, you will be able to run the following commands:
+
+```shell
+snyk test
+```
+For open-source vulnerabilies and licence issues. See [`snyk test`](https://docs.snyk.io/snyk-cli/commands/test).
+
+```shell
+snyk code test
+```
+For Static Application Security Testing (SAST) - known security issues. See [`snyk code test`](https://docs.snyk.io/snyk-cli/commands/code-test).
+
+A [JetBrains Plugin](https://plugins.jetbrains.com/plugin/10972-snyk-security) is also available to integrate with your IDE. In addition to
+vulnerabilities, this plugin will also report code quality issues.
+
+### Configuration (`.snyk`)
+
+The [.snyk](.snyk) file is used to configure exclusions for scanning. If a vulnerability is not
+deemed to be a threat, or will be dealt with later, it can be added here to stop the pipeline
+failing. See [documentation](https://docs.snyk.io/manage-risk/policies/the-.snyk-file) for more details.
+
+### False Positives
+
+Snyk may report that new vulnerabilities have been introduced on a feature branch and fail the
+pipeline, even if this is not the case. As newly identified vulnerabilities are always being
+published, the report for the main branch may become outdated when a new vulnerability is published.
+
+If you think this may be the case, simply re-run the `monitor` command against the `main` branch
+to update the report on the Snyk server, then re-run your pipeline.
+
+Please ensure this matches the command used by the [pr-merge-main](.github/workflows/pr-merge-main.yml)
+workflow to maintain consistency.
+
+```shell
+snyk monitor --org=legal-aid-agency --all-projects --exclude=build,generated --target-reference=main
+```
+
+You should then see the new vulnerability in the LAA Dashboard, otherwise it is a new
+vulnerability introduced on the feature branch that needs to be resolved.