From 94926e809e3e0c37ace806682b7d9eb673fa08b3 Mon Sep 17 00:00:00 2001 From: Jiri Sztuka Date: Tue, 13 Aug 2024 12:16:31 +0200 Subject: [PATCH] feat(STONEINTG-1020): make snyk scan all files --- .tekton/pull-request.yaml | 2 +- pipelines/docker-build-oci-ta/README.md | 7 +- pipelines/docker-build-oci-ta/patch.yaml | 7 +- pipelines/docker-build/README.md | 12 +- pipelines/java-builder/README.md | 12 +- pipelines/nodejs-builder/README.md | 12 +- pipelines/tekton-bundle-builder/README.md | 12 +- pipelines/template-build/template-build.yaml | 2 +- ta-generator/golden/sast-snyk-check/base.yaml | 2 +- ta-generator/golden/sast-snyk-check/ta.yaml | 8 +- task/sast-snyk-check-oci-ta/0.2/MIGRATION.md | 5 + task/sast-snyk-check-oci-ta/0.2/README.md | 25 +++ task/sast-snyk-check-oci-ta/0.2/recipe.yaml | 28 ++++ .../0.2/sast-snyk-check-oci-ta.yaml | 149 ++++++++++++++++++ task/sast-snyk-check/0.2/MIGRATION.md | 4 + task/sast-snyk-check/0.2/README.md | 35 ++++ task/sast-snyk-check/0.2/sast-snyk-check.yaml | 128 +++++++++++++++ 17 files changed, 417 insertions(+), 33 deletions(-) create mode 100644 task/sast-snyk-check-oci-ta/0.2/MIGRATION.md create mode 100644 task/sast-snyk-check-oci-ta/0.2/README.md create mode 100644 task/sast-snyk-check-oci-ta/0.2/recipe.yaml create mode 100644 task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml create mode 100644 task/sast-snyk-check/0.2/MIGRATION.md create mode 100644 task/sast-snyk-check/0.2/README.md create mode 100644 task/sast-snyk-check/0.2/sast-snyk-check.yaml diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 55279e1dd4..b08092c7db 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -5,7 +5,7 @@ metadata: name: build-definitions-pull-request annotations: pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && ( !has(body.pull_request) || !body.pull_request.draft) ) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) - pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.1/sast-snyk-check.yaml]" + pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.2/sast-snyk-check.yaml]" pipelinesascode.tekton.dev/task-2: "yaml-lint" pipelinesascode.tekton.dev/max-keep-runs: "5" spec: diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index af06676dab..7b980d537e 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -133,12 +133,13 @@ |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### sast-snyk-check-oci-ta:0.1 task parameters +### sast-snyk-check-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| NONE | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |image-digest| Image digest to report findings for.| | | |image-url| Image URL.| | | ### sbom-json-check:0.1 task parameters @@ -216,12 +217,12 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-container:0.2:CACHI2_ARTIFACT ; build-source-image:0.1:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.1:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-container:0.2:SOURCE_ARTIFACT ; build-source-image:0.1:SOURCE_ARTIFACT ; sast-snyk-check:0.2:SOURCE_ARTIFACT ; push-dockerfile:0.1:SOURCE_ARTIFACT| ### push-dockerfile-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### sast-snyk-check-oci-ta:0.1 task results +### sast-snyk-check-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index 2a294b5809..f48fd43c07 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -108,10 +108,15 @@ - op: add # In the docker-build Pipeline, the snyk Task does not receive any parameters, so we cannot # append to it. - path: /spec/tasks/8/params + path: /spec/tasks/8/params/- value: - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/8/params/- + value: + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/8/workspaces/0 diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 3ee59862c2..17fcd32006 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -128,7 +128,7 @@ |IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### sast-snyk-check:0.1 task parameters +### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | @@ -174,9 +174,9 @@ ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -214,7 +214,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### sast-snyk-check:0.1 task results +### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -236,7 +236,7 @@ |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.2:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### buildah:0.2 task workspaces |name|description|optional|workspace from pipeline @@ -258,7 +258,7 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-snyk-check:0.1 task workspaces +### sast-snyk-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| | False| workspace| diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index cbd47c017b..a4a882c2ab 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -112,7 +112,7 @@ |PATH_CONTEXT| The location of the path to run s2i from| .| '$(params.path-context)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### sast-snyk-check:0.1 task parameters +### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | @@ -193,12 +193,12 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | -### sast-snyk-check:0.1 task results +### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -220,7 +220,7 @@ |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -242,7 +242,7 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| -### sast-snyk-check:0.1 task workspaces +### sast-snyk-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| | False| workspace| diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index fa96efa0ac..5ebf34b6ed 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -113,7 +113,7 @@ |PATH_CONTEXT| The location of the path to run s2i from.| .| '$(params.path-context)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### sast-snyk-check:0.1 task parameters +### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | @@ -193,10 +193,10 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| -### sast-snyk-check:0.1 task results +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -218,7 +218,7 @@ |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -240,7 +240,7 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| -### sast-snyk-check:0.1 task workspaces +### sast-snyk-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| | False| workspace| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index bb66ed2f18..751dd857a4 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -82,7 +82,7 @@ |IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| |IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### sast-snyk-check:0.1 task parameters +### sast-snyk-check:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | @@ -143,7 +143,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### sast-snyk-check:0.1 task results +### sast-snyk-check:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -155,16 +155,16 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.2:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ## Workspaces |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -182,7 +182,7 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-snyk-check:0.1 task workspaces +### sast-snyk-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| | False| workspace| diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index c852f64ef1..55531fc185 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -192,7 +192,7 @@ spec: - build-container taskRef: name: sast-snyk-check - version: "0.1" + version: "0.2" workspaces: - name: workspace workspace: workspace diff --git a/ta-generator/golden/sast-snyk-check/base.yaml b/ta-generator/golden/sast-snyk-check/base.yaml index 8894d28492..99b466a633 100644 --- a/ta-generator/golden/sast-snyk-check/base.yaml +++ b/ta-generator/golden/sast-snyk-check/base.yaml @@ -63,7 +63,7 @@ spec: SNYK_EXIT_CODE=0 SOURCE_CODE_DIR=$(workspaces.workspace.path)/source - snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$? + snyk code test "$ARGS" "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$? test_not_skipped=0 SKIP_MSG="We found 0 supported files" grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? diff --git a/ta-generator/golden/sast-snyk-check/ta.yaml b/ta-generator/golden/sast-snyk-check/ta.yaml index 66e8e98490..c3a20b21b0 100644 --- a/ta-generator/golden/sast-snyk-check/ta.yaml +++ b/ta-generator/golden/sast-snyk-check/ta.yaml @@ -3,7 +3,7 @@ apiVersion: tekton.dev/v1 kind: Task metadata: labels: - app.kubernetes.io/version: "0.1" + app.kubernetes.io/version: "0.2" annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "appstudio, hacbs" @@ -33,6 +33,10 @@ spec: - name: SOURCE_ARTIFACT type: string description: The Trusted Artifact URI pointing to the artifact with the application source code. + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. + type: string + default: "" - name: SNYK_SECRET description: Name of secret which contains Snyk token. default: snyk-secret @@ -91,7 +95,7 @@ spec: SNYK_EXIT_CODE=0 SOURCE_CODE_DIR=/var/workdir/source - snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$? + snyk code test "$ARGS" "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$? test_not_skipped=0 SKIP_MSG="We found 0 supported files" grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? diff --git a/task/sast-snyk-check-oci-ta/0.2/MIGRATION.md b/task/sast-snyk-check-oci-ta/0.2/MIGRATION.md new file mode 100644 index 0000000000..a6b4a10f31 --- /dev/null +++ b/task/sast-snyk-check-oci-ta/0.2/MIGRATION.md @@ -0,0 +1,5 @@ +# Migration from 0.1 to 0.2 + +Inherited from sast-snyk-check task, +Scanned dir `SOURCE_CODE_DIR`=$(workspaces.workspace.path)/source changed to `SOURCE_CODE_DIR`=$(workspaces.workspace.path) +Added `--max-depth=1` option, so snyk is now scanning both source code and dependencies within workspace. diff --git a/task/sast-snyk-check-oci-ta/0.2/README.md b/task/sast-snyk-check-oci-ta/0.2/README.md new file mode 100644 index 0000000000..a09267ed32 --- /dev/null +++ b/task/sast-snyk-check-oci-ta/0.2/README.md @@ -0,0 +1,25 @@ +# sast-snyk-check-oci-ta task + +Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. + +Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline. + +The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test + +See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|ARGS|Append arguments.|--all-projects --exclude=test*,vendor,deps|false| +|SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.||true| +|image-digest|Image digest to report findings for.|""|false| +|image-url|Image URL.|""|false| + +## Results +|name|description| +|---|---| +|TEST_OUTPUT|Tekton task test output.| + diff --git a/task/sast-snyk-check-oci-ta/0.2/recipe.yaml b/task/sast-snyk-check-oci-ta/0.2/recipe.yaml new file mode 100644 index 0000000000..d417f35bd4 --- /dev/null +++ b/task/sast-snyk-check-oci-ta/0.2/recipe.yaml @@ -0,0 +1,28 @@ +--- +base: ../../sast-snyk-check/0.2/sast-snyk-check.yaml +add: + - use-source +description: >- + Scans source code for security vulnerabilities, including common issues such as SQL injection, + cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application + Security Testing (SAST) tool. + + + Follow the steps given + [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) + to obtain a snyk-token and to enable the snyk task in a Pipeline. + + + The snyk binary used in this Task comes from a container image defined in + https://github.com/konflux-ci/konflux-test + + + See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk + tool. +preferStepTemplate: true +removeWorkspaces: + - workspace +replacements: + workspaces.workspace.path: /var/workdir +regexReplacements: + hacbs/\$\(context.task.name\): source diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml new file mode 100644 index 0000000000..b3b8afdb50 --- /dev/null +++ b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml @@ -0,0 +1,149 @@ +--- +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: sast-snyk-check-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: konflux + labels: + app.kubernetes.io/version: "0.2" +spec: + description: |- + Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. + + Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline. + + The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test + + See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool. + params: + - name: ARGS + description: Append arguments. + type: string + default: --all-projects --exclude=test*,vendor,deps + - name: SNYK_SECRET + description: Name of secret which contains Snyk token. + default: snyk-secret + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. + type: string + - name: CACHI2_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the prefetched dependencies. + type: string + default: "" + - name: image-digest + description: Image digest to report findings for. + type: string + default: "" + - name: image-url + description: Image URL. + type: string + default: "" + results: + - name: TEST_OUTPUT + description: Tekton task test output. + volumes: + - name: snyk-secret + secret: + optional: true + secretName: $(params.SNYK_SECRET) + - name: workdir + emptyDir: {} + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir + steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - name: sast-snyk-check + image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + workingDir: /var/workdir/source + volumeMounts: + - mountPath: /etc/secrets + name: snyk-secret + readOnly: true + env: + - name: SNYK_SECRET + value: $(params.SNYK_SECRET) + - name: ARGS + value: $(params.ARGS) + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + SNYK_TOKEN_PATH="/etc/secrets/snyk_token" + + if [ -f "${SNYK_TOKEN_PATH}" ] && [ -s "${SNYK_TOKEN_PATH}" ]; then + # SNYK token is provided + SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})" + export SNYK_TOKEN + else + to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)' + note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}" + TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + SNYK_EXIT_CODE=0 + SOURCE_CODE_DIR=/var/workdir + snyk code test "$ARGS" "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2 >>stdout.txt || SNYK_EXIT_CODE=$? + test_not_skipped=0 + SKIP_MSG="We found 0 supported files" + grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? + + if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then + cat sast_snyk_check_out.json + TEST_OUTPUT= + parse_test_output $(context.task.name) sarif sast_snyk_check_out.json || true + + # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation + elif [[ "$test_not_skipped" -eq 0 ]]; then + note="Task $(context.task.name) success: Snyk code test found zero supported files." + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + else + echo "sast-snyk-check test failed because of the following issues:" + cat stdout.txt + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + fi + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820 + workingDir: /var/workdir/source + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + script: | + #!/usr/bin/env bash + + UPLOAD_FILE=sast_snyk_check_out.json + MEDIA_TYPE=application/sarif+json + + if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then + echo 'No image-url or image-digest param provided. Skipping upload.' + exit 0 + fi + + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + exit 0 + fi + + echo "Selecting auth" + select-oci-auth $IMAGE_URL >$HOME/auth.json + echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" + oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" + oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" diff --git a/task/sast-snyk-check/0.2/MIGRATION.md b/task/sast-snyk-check/0.2/MIGRATION.md new file mode 100644 index 0000000000..a418949755 --- /dev/null +++ b/task/sast-snyk-check/0.2/MIGRATION.md @@ -0,0 +1,4 @@ +# Migration from 0.1 to 0.2 + +Scanned dir `SOURCE_CODE_DIR`=$(workspaces.workspace.path)/source changed to `SOURCE_CODE_DIR`=$(workspaces.workspace.path) +Added `--max-depth=1` option, so snyk is now scanning both source code and dependencies within workspace. diff --git a/task/sast-snyk-check/0.2/README.md b/task/sast-snyk-check/0.2/README.md new file mode 100644 index 0000000000..bb189328c2 --- /dev/null +++ b/task/sast-snyk-check/0.2/README.md @@ -0,0 +1,35 @@ +# sast-snyk-check task + +## Description: + +The sast-snyk-check task uses Snyk Code tool to perform Static Application Security Testing (SAST) for Snyk, a popular cloud-native application security platform. + +Snyk's SAST tool uses a combination of static analysis and machine learning techniques to scan an application's source code for potential security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks. + +> NOTE: This task is executed only if the user provides a Snyk token stored in a secret in their namespace. The name of the secret then needs to be supplied in the `snyk-secret` pipeline parameter. + +## Params: + +| name | description | +|-------------|-------------------------------------------| +| SNYK_SECRET | Name of secret which contains Snyk token. | +| ARGS | Append arguments. | + +## How to obtain a snyk-token and enable snyk task on the pipeline: + +Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) + +## Results: + +| name | description | +|-----------------------|--------------------------| +| TEST_OUTPUT | Tekton task test output. | + +## Source repository for image: + +https://github.com/konflux-ci/konflux-test + +## Additional links: + +* https://snyk.io/product/snyk-code/ +* https://snyk.io/ diff --git a/task/sast-snyk-check/0.2/sast-snyk-check.yaml b/task/sast-snyk-check/0.2/sast-snyk-check.yaml new file mode 100644 index 0000000000..0f2d7c6f35 --- /dev/null +++ b/task/sast-snyk-check/0.2/sast-snyk-check.yaml @@ -0,0 +1,128 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "konflux" + name: sast-snyk-check +spec: + description: >- + Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. + results: + - description: Tekton task test output. + name: TEST_OUTPUT + params: + - name: SNYK_SECRET + description: Name of secret which contains Snyk token. + default: snyk-secret + - name: ARGS + type: string + description: Append arguments. + default: "--all-projects --exclude=test*,vendor,deps" + - description: Image URL. + name: image-url + type: string + # In a future 0.2 version of the task, drop the default to make this required + default: "" + - description: Image digest to report findings for. + name: image-digest + type: string + # In a future 0.2 version of the task, drop the default to make this required + default: "" + volumes: + - name: snyk-secret + secret: + secretName: $(params.SNYK_SECRET) + optional: true + steps: + - name: sast-snyk-check + image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + volumeMounts: + - name: snyk-secret + mountPath: "/etc/secrets" + readOnly: true + env: + - name: SNYK_SECRET + value: $(params.SNYK_SECRET) + - name: ARGS + value: $(params.ARGS) + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + SNYK_TOKEN_PATH="/etc/secrets/snyk_token" + + if [ -f "${SNYK_TOKEN_PATH}" ] && [ -s "${SNYK_TOKEN_PATH}" ]; then + # SNYK token is provided + SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})" + export SNYK_TOKEN + else + to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)' + note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}" + TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + SNYK_EXIT_CODE=0 + SOURCE_CODE_DIR=$(workspaces.workspace.path) + snyk code test "$ARGS" "$SOURCE_CODE_DIR" --max-depth=1 --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$? + test_not_skipped=0 + SKIP_MSG="We found 0 supported files" + grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? + + if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then + cat sast_snyk_check_out.json + TEST_OUTPUT= + parse_test_output $(context.task.name) sarif sast_snyk_check_out.json || true + + # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation + elif [[ "$test_not_skipped" -eq 0 ]]; then + note="Task $(context.task.name) success: Snyk code test found zero supported files." + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + else + echo "sast-snyk-check test failed because of the following issues:" + cat stdout.txt + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + fi + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + - name: upload + image: quay.io/konflux-ci/oras:latest@sha256:f4b891ee3038a5f13cd92ff4f473faad5601c2434d1c6b9bccdfc134d9d5f820 + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + env: + - name: IMAGE_URL + value: $(params.image-url) + - name: IMAGE_DIGEST + value: $(params.image-digest) + script: | + #!/usr/bin/env bash + + UPLOAD_FILE=sast_snyk_check_out.json + MEDIA_TYPE=application/sarif+json + + if [ -z "${IMAGE_URL}" ] || [ -z "${IMAGE_DIGEST}" ]; then + echo 'No image-url or image-digest param provided. Skipping upload.' + exit 0; + fi + + if [ ! -f "${UPLOAD_FILE}" ]; then + echo "No ${UPLOAD_FILE} exists. Skipping upload." + exit 0; + fi + + echo "Selecting auth" + select-oci-auth $IMAGE_URL > $HOME/auth.json + echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API" + oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag" + oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" + workspaces: + - name: workspace