From f02a1cd0575c5926f05f8c99c0de0e92df19704a Mon Sep 17 00:00:00 2001 From: farrell-m Date: Mon, 10 Feb 2025 16:50:10 +0000 Subject: [PATCH] use snyk target reference --- .github/workflows/pr-merge-main.yml | 5 ++- .github/workflows/push-branch.yml | 3 +- README.md | 58 +++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr-merge-main.yml b/.github/workflows/pr-merge-main.yml index 5c254367..308eac12 100644 --- a/.github/workflows/pr-merge-main.yml +++ b/.github/workflows/pr-merge-main.yml @@ -69,6 +69,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} SNYK_ORG: legal-aid-agency SNYK_TEST_EXCLUDE: build,generated + SNYK_TARGET_REFERENCE: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: @@ -78,12 +79,12 @@ jobs: continue-on-error: true with: command: monitor - args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE + args: --org=${SNYK_ORG} --all-projects --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE - name: Generate sarif Snyk report uses: snyk/actions/gradle@0.4.0 continue-on-error: true with: - args: --org=$SNYK_ORG --all-projects --exclude=$SNYK_TEST_EXCLUDE --sarif-file-output=snyk-report.sarif + args: --org=$SNYK_ORG --all-projects --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE --sarif-file-output=snyk-report.sarif - name: Fix undefined values run: | cat snyk-report.sarif | jq ' diff --git a/.github/workflows/push-branch.yml b/.github/workflows/push-branch.yml index 47f2bb9b..c1174452 100644 --- a/.github/workflows/push-branch.yml +++ b/.github/workflows/push-branch.yml @@ -64,6 +64,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} SNYK_ORG: legal-aid-agency SNYK_TEST_EXCLUDE: build,generated + SNYK_TARGET_REFERENCE: main steps: - uses: actions/checkout@v3 @@ -80,7 +81,7 @@ jobs: export PATH="$HOME/.local/bin/:$PATH" npm install -g snyk-delta - name: Identify new vulnerabilities - run: ./snyk/snyk_delta_all_projects.sh --org=$SNYK_ORG --exclude=$SNYK_TEST_EXCLUDE + run: ./snyk/snyk_delta_all_projects.sh --org=$SNYK_ORG --exclude=$SNYK_TEST_EXCLUDE --target-reference=$SNYK_TARGET_REFERENCE env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run code test diff --git a/README.md b/README.md index 32900202..9d0e9185 100644 --- a/README.md +++ b/README.md @@ -21,3 +21,61 @@ This API uses components from the [LAA CCMS Common Library](https://github.com/m - [laa-ccms-spring-boot-plugin](https://github.com/ministryofjustice/laa-ccms-spring-boot-common?tab=readme-ov-file#laa-ccms-spring-boot-gradle-plugin-for-java--spring-boot-projects) - [laa-ccms-spring-boot-starter-auth](https://github.com/ministryofjustice/laa-ccms-spring-boot-common/tree/main/laa-ccms-spring-boot-starters/laa-ccms-spring-boot-starter-auth) + +## Snyk code analysis (CI/CD) +This project publishes vulnerability scans to the [LAA Snyk Dashboard (Google SSO)](https://app.snyk.io/org/legal-aid-agency). + +If you cannot see the LAA organisation when logged into the dashboard, +please ask your lead developer/architect to have you added. + +Scans will be triggered in two ways: + +- Main branch - on commit, a vulnerability scan will be run and published to both the Snyk + server and GitHub Code Scanning. Vulnerabilites will not fail the build. +- Feature branches - on commit, a vulnerability scan will be run to identify any new + vulnerabilites (compared to the main branch). If new vulnerabilites have been raised. A code + scan will also run to identify known security issues within the source code. If any issues are + found, the build will fail. + +### Running Snyk locally +To run Snyk locally, you will need to [install the Snyk CLI](https://docs.snyk.io/snyk-cli/install-or-update-the-snyk-cli). + +Once installed, you will be able to run the following commands: + +```shell +snyk test +``` +For open-source vulnerabilies and licence issues. See [`snyk test`](https://docs.snyk.io/snyk-cli/commands/test). + +```shell +snyk code test +``` +For Static Application Security Testing (SAST) - known security issues. See [`snyk code test`](https://docs.snyk.io/snyk-cli/commands/code-test). + +A [JetBrains Plugin](https://plugins.jetbrains.com/plugin/10972-snyk-security) is also available to integrate with your IDE. In addition to +vulnerabilities, this plugin will also report code quality issues. + +### Configuration (`.snyk`) + +The [.snyk](.snyk) file is used to configure exclusions for scanning. If a vulnerability is not +deemed to be a threat, or will be dealt with later, it can be added here to stop the pipeline +failing. See [documentation](https://docs.snyk.io/manage-risk/policies/the-.snyk-file) for more details. + +### False Positives + +Snyk may report that new vulnerabilities have been introduced on a feature branch and fail the +pipeline, even if this is not the case. As newly identified vulnerabilities are always being +published, the report for the main branch may become outdated when a new vulnerability is published. + +If you think this may be the case, simply re-run the `monitor` command against the `main` branch +to update the report on the Snyk server, then re-run your pipeline. + +Please ensure this matches the command used by the [pr-merge-main](.github/workflows/pr-merge-main.yml) +workflow to maintain consistency. + +```shell +snyk monitor --org=legal-aid-agency --all-projects --exclude=build,generated --target-reference=main +``` + +You should then see the new vulnerability in the LAA Dashboard, otherwise it is a new +vulnerability introduced on the feature branch that needs to be resolved.