Snyk Code scanning
The Snyk step in Harness STO allows you to scan your code for security vulnerabilities using source code analysis. This document helps you to configure the Snyk step in your pipeline to perform Snyk Code scanning either through orchestration or ingestion scan modes in STO.
- Orchestration mode: In this mode, the Snyk step runs the scan, then normalizes and deduplicates the results.
- Ingestion mode: In this mode, the Snyk step reads scan results from a data file, normalizes the data, and deduplicates it.
Refer to the Snyk step configuration document to learn more about the fields in the Snyk step and how to configure them.
Snyk Code scan - Orchestration mode
This feature is currently behind the feature flag, STO_SNYK_ORCHESTRATION_ENHANCEMENTS
. Contact Harness Support to enable this feature.
To perform Snyk Code scanning with orchestration scan mode, follow the below steps:
-
Search and add the Snyk step to your pipeline. You can use this step in Build stage or Security stage.
-
In the step configuration, set the following fields
- Set the Scan Mode to Orchestration
- Under Target, set the Type to Repository
- Set the Scan Configuration to Snyk Code
- For Target and Variant Detection it's preferred to use Auto option or you can define them using the Manual option.
- Under Authentication, pass your Snyk API as Harness secret, for example:
<+secrets.getValue("snyk_api_token")>
Refer to Snyk step configuration document to learn more about all the fields and their configurations.
Snyk Code scan - Ingestion mode
In the Ingestion scan mode, the Snyk step reads data from a file, normalizes it, and deduplicates it. To perform a Snyk Code scan using the Ingestion scan mode, we will use two steps:
- Run step: Scan the repository with Snyk CLI and save the output to a shared folder.
- Snyk step: To ingest the scan results from the output.
Requirements
- Configure your code repository in your stage, you can do it in the Build stage or Security stage
- Go to the Overview tab of the stage. Under Shared Paths, enter the following path:
/shared/scan_results
. This will be the location where the Run step will save the scan results.
Configure Run step
-
Add the Run step to the pipeline and open the step configuration.
-
In the Container Registry section, set your DockerHub connector. Snyk images will be pulled from their DockerHub account.
-
For Image, use a supported Snyk image based on your project type and language. For example, use
snyk/snyk:node
for a Node.js project. -
Set the Shell field to
sh
-
In the Command field, enter the following command.
snyk code test \ --file=SubSolution.sln \ --sarif-file-output=/shared/scan_results/snyk_scan_results.sarif || true
-
In Optional Configuration, under Environment Variables, add a variable to access your Snyk API key:
SNYK_TOKEN =<+secrets.getValue("snyk_api_token")>
-
In Advanced tab under Failure Strategies, set the Failure Strategy to Mark as Success. This step is required to ensure that the pipeline proceeds if Snyk finds a vulnerability. Otherwise, the build exits with an error code before STO can ingest the data.
Configure Snyk step
- Add the Snyk step and open the step configuration.
- Set the Scan Mode to Ingestion.
- Set the Target Type to Repository.
- For Target and Variant Detection define them with the Manual option selected.
- In the Ingestion File field, enter
/shared/scan_results/snyk_scan_results.sarif
. - Apply your changes, save the configuration, and run the pipeline.
Refer to Snyk step configuration document to learn more about all the fields and their configurations.