Enabling a Snyk task

The Snyk test is available to run at build time in the default pipelines, but it requires additional configuration to enable. This procedural example illustrates a build-time test that requires the configuration of a custom secret.

The sast-snyk-check task uses the Snyk Code tool to perform static application security testing (SAST). Specifically, the Snyk check scans an application’s source code for potential security vulnerabilities, including SQL injection, cross-site scripting (XSS), and code injection attack vulnerabilities.

You can run a Snyk task only if you have a Snyk token configured in a namespace secret. Ensure that the name of your secret is included in the snyk-secret pipeline parameter.

Procedure

Register for a Snyk account or log in at https://app.snyk.io/.
Create a Snyk token using a Service Account.

To create a Service Account token at the Organization level, you must have the Org Admin role in Snyk. If you do not have the required permissions, use your individual API token instead.
1. Select the correct Group and then select the Organization that you want to work with from the left navigation panel.
2. Verify your required access level by clicking the Members button.
3. Click Settings and then select Service accounts from the menu next to it.
4. In the Create a new service account section, give the service account a meaningful Name and select the appropriate Role from the drop-down menu (e.g., Org Collaborator).
5. Click the Create button.
6. Copy the generated API Token. This token is visible only once; secure it before clicking Close and hide.
Enable Snyk Code.

Snyk Code must be enabled within your Organization settings for the SAST scan to function. Due to UI variations, use one of the following methods:
- Recommended (via Import flow):
  1. Click the Home icon under your Organization, then select Import projects.
  2. In the third section, Configure automation settings & authenticate, ensure the Snyk Code checkbox is checked.
- Alternative (via Settings):
  1. From the left panel, go to Settings > Snyk Code, then scroll to the Enable Snyk Code section.
  2. Toggle Disabled to Enabled.
  3. Click Save changes.
Add your new secret to your tenant namespace.
1. Log in to Konflux Overview page.
2. From the left menu, click Secrets.
3. Click Add secret.
4. The Add secret page displays options for your new secret. Specify the following:
  1. For Secret for, select Build.
  2. From the Secret type drop-down menu, choose Key/value secret.
  3. From the Secret name drop-down menu, select snyk-secret.
  4. Paste your Snyk token into the Upload the file with value for your key or paste its contents field.
  5. Click Add secret to save it.

You have now enabled the Snyk task for your build pipeline.

In case multiple components are maintained in a single git repository, Snyk Code is unable to distinguish which directories contain the source code for which component. Consequently, Snyk Code reports duplicated findings because it always scans the whole git repository rather than scanning each component separately. As a workaround for this limitation of Snyk Code, use the IGNORE_FILE_PATHS parameter of the sast-snyk-check task to specify which directories should be ignored while scanning a specific component. Namely, use the parameter to make Snyk Code ignore directories that are used for build of other components maintained in the same git repository.

This parameter takes a list of comma-separated file paths (directories and files) to be ignored.

Example: IGNORE_FILE_PATHS parameter

 - name: IGNORE_FILE_PATHS
   value: "tests/,Dockerfile,README.md"

This action will make use of the snyk ignore command.

Additional resources

Snyk Code product information