Snyk IaC scanning
The Snyk step in Harness STO allows you to secure cloud infrastructure configurations. This document helps you to configure Snyk step in your pipeline to perform Snyk IaC scanning either through orchestration or ingestion scan modes in STO.
- Orchestration mode: In this mode, the Snyk step runs the scan, then normalizes and deduplicates the results.
- Ingestion mode: In this mode, the Snyk step reads scan results from a data file, normalizes the data, and deduplicates it.
Refer to the Snyk step configuration document to learn more about the fields in the Snyk step and how to configure them.
Snyk IaC scan - Orchestration mode
This feature is currently behind the feature flag, STO_SNYK_ORCHESTRATION_ENHANCEMENTS
. Contact Harness Support to enable this feature.
To perform Snyk IaC scanning with orchestration scan mode, follow the below steps:
- Search and add the Snyk step to your pipeline. You can use this step in Build stage or Security stage.
- In the step configuration, set the following fields
- Set the Scan Mode to Orchestration
- Under Target, set the Type to Repository
- Set the Scan Configuration to Snyk Infrastructure as Code
- For Target and Variant Detection it's preferred to use Auto option or you can define them using the Manual option.
- Under Authentication, pass your Snyk API as Harness secret, for example:
<+secrets.getValue("snyk_api_account")>
You can scan a specific file in your repository by entering its path in the Workspace field. Make sure to include the /harness
prefix in the path. For example, if your file is located at my_repo/src/main/file.tf
, enter /harness/src/main/file.tf
Refer to Snyk step configuration document to learn more about all the fields and their configurations.
Snyk IaC scan - Ingestion mode
To perform Snyk IaC scan with ingestion scan mode, you will need to have two steps:
- Run step: Scan the configuration with Snyk CLI and save the results to a SARIF.
- Snyk step: To ingest the scan results from the output.
Requirements
- Configure your code repository in your stage, you can do it in the Build stage or Security stage
- Go to the Overview tab of the stage. Under Shared Paths, enter the following path:
/shared/scan_results
, this will be the location where the Run step will save the scan results.
Configure Run step
-
Add the Run step to the pipeline and open the step configuration.
-
In the Container Registry section, set your DockerHub connector. Snyk images will be pulled from their DockerHub account.
-
For Image, For Image, use
snyk/snyk:linux
-
Set the Shell field to
sh
-
In the Command field, enter the following command.
snyk iac test --sarif --sarif-file-output=/shared/scan_results/snyk_iac.json /harness || true cat /shared/scan_results/snyk_iac.json
Snyk maintains a set of snykgoof repositories that you can use for testing your container-image scanning workflows.
- In Optional Configuration, under Environment Variables, add a variable to access your Snyk API key:
SNYK_TOKEN =<+secrets.getValue("snyk_api_token")>
- In Advanced tab under Failure Strategies, set the Failure Strategy to Mark as Success. This step is required to ensure that the pipeline proceeds if Snyk finds a vulnerability. Otherwise, the build exits with an error code before STO can ingest the data.
Configure Snyk step
- Add the Snyk step and open the step configuration.
- Set the Scan Mode to Ingestion.
- Set the Target Type to Repository.
- For Target and Variant Detection, define them with the Manual option selected.
- In the Ingestion File field, enter
/shared/scan_results/snyk_iac.sarif
- Apply your changes, save the configuration, and run the pipeline.
Refer to Snyk step configuration document to learn more about all the fields and their configurations.