Skip to main content

Ingest Scan Results from Snyk

This workflow describes how to ingest Snyk scan results into a Harness pipeline. STO supports the following scan approaches for the following Snyk products:

Important notes

Workflow Example

The following example describes how to scan a local .NET image built using Mavan. A Run step installs the build; then it scans the image and saves the output to a shared folder. A Security step then ingests the output file.

  1. In your Harness pipeline, go to the Overview tab of the Security stage. Under Shared Paths, enter a shared path such as /shared/customer_artifacts.

  2. Add a Run step that runs the build (if required) and saves the results to the shared folder:

  3. For the Run step Image, use a supported Snyk image based on the type of code in your codebase.

  4. In the Run step Command field, add code to build a local image (if required) and save the scan results to the shared folder.

    You can run a scan in this step or copy results from an external scan. In either case, the results file needs to be in the /shared/customer_artifacts/ folder where the Security step can access it.

    In this example, the Run step populates the DotNet dependencies, scans the code repository with Snyk, and saves the output to /shared/customer_artifacts/SubSolution.json.

    dotnet restore SubSolution.sln
    snyk --file=SubSolution.sln test --json /harness > /shared/customer_artifacts/SubSolution.json
  5. In the Run step Environment Variables field, under Optional Configuration, add a variable to access your Snyk API key:

    SNYK_TOKEN = <+secrets.getValue("snyk_api_token")>

    Your Run step should now look like this:

  6. In the Run step > Advanced tab > Failure Strategies, set the Failure Strategy to Mark as Success.

    This step is required to ensure that the pipeline proceeds if Snyk finds a vulnerability. Otherwise the build will exit with a error code before STO can ingest the data.

  7. Add a Security step and configure the scanner to ingest the results of the scan. In this example, the step is configured as follows:

     - step:
    type: Security
    name: snyk
    identifier: snyk
    privileged: true
    policy_type: ingestionOnly
    scan_type: repository
    product_name: snyk
    product_config_name: default
    repository_project: SubSolution
    repository_branch: <+codebase.branch>-<+codebase.tag>
    customer_artifacts_path: /shared/customer_artifacts
    manual_upload_filename: SubSolution.json
    imagePullPolicy: Always