Enabling a Snyk task

The Snyk test is available to run at build time in the default pipelines, but it requires additional configuration to enable. This procedural example illustrates a build-time test that requires the configuration of a custom secret.

The sast-snyk-check task uses the Snyk Code tool to perform static application security testing (SAST). Specifically, the Snyk check scans an application’s source code for potential security vulnerabilities, including SQL injection, cross-site scripting (XSS), and code injection attack vulnerabilities.

You can run a Snyk task only if you have a Snyk token configured in a namespace secret. Ensure that the name of your secret is included in the snyk-secret pipeline parameter.
Procedure

  1. Register for a Snyk account or log in at https://app.snyk.io/.

  2. Get a Snyk token.

    1. In the lower left of the home page, click your name, then select Account settings.

    2. From the Account Settings page, select General, which is the default, then Auth Token.

    3. Under the Auth Token section, click Click to View to see the KEY value of the automatically generated token.

  3. Enable Snyk Code.

    1. From the left panel, go to Settings > Snyk Code, then scroll to the Enable Snyk Code section.

    2. Toggle Disabled to Enabled.

    3. Click Save changes.

  4. Add your new secret to your workspace.

    1. Log in to Konflux Overview page.

    2. From the left menu, click Secrets.

    3. Click Add secret.

    4. The Add secret page displays options for your new secret. Specify the following:

      1. For Secret for, select Build.

      2. From the Secret type drop-down menu, choose Key/value secret.

      3. From the Secret name drop-down menu, select snyk-secret.

      4. Paste your Snyk token into the Upload the file with value for your key or paste its contents field.

      5. Click Add secret to save it.

You’ve enabled the Snyk task for your build pipeline.

In case multiple components are maintained in a single git repository, Snyk Code is unable to distinguish which directories contain the source code for which component. Consequently, Snyk Code reports duplicated findings because it always scans the whole git repository rather than scanning each component separately. As a workaround for this limitation of Snyk Code, one can use the IGNORE_FILE_PATHS parameter of the sast-snyk-check task to specify which directories should be ignored while scanning a specific component. Namely, one can use the parameter to make Snyk Code ignore directories that are used for build of other components maintained in the same git repository.

This parameter takes a list of comma-separated file paths (directories and files) to be ignored.

Example:

 - name: IGNORE_FILE_PATHS
   value: "tests/,Dockerfile,README.md"

This action will make use of the snyk ignore command.

Additional resources

For more information about Snyk, see the Snyk website.