Expand snyk sast

release-engineering · Apr 22, 2024 · 04d2ada · 04d2ada
1 parent 6e7e7ae
commit 04d2ada
Showing 1 changed file with 86 additions and 9 deletions.
diff --git a/.tekton/sync2jira-pull-request.yaml b/.tekton/sync2jira-pull-request.yaml
@@ -325,15 +325,6 @@ spec:
       - name: sast-snyk-check
         runAfter:
           - clone-repository
-        taskRef:
-          params:
-            - name: name
-              value: sast-snyk-check
-            - name: bundle
-              value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4
-            - name: kind
-              value: task
-          resolver: bundles
         when:
           - input: $(params.skip-checks)
             operator: in
@@ -342,6 +333,92 @@ spec:
         workspaces:
           - name: workspace
             workspace: workspace
+        taskSpec:
+          apiVersion: tekton.dev/v1
+          kind: Task
+          metadata:
+            annotations:
+              tekton.dev/pipelines.minVersion: 0.12.1
+              tekton.dev/tags: appstudio, hacbs
+            labels:
+              app.kubernetes.io/version: "0.1"
+            name: sast-snyk-check
+          spec:
+            description: Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.
+            params:
+              - default: snyk-secret
+                description: Name of secret which contains Snyk token.
+                name: SNYK_SECRET
+              - default: --all-projects --exclude=test*,vendor,deps
+                description: Append arguments.
+                name: ARGS
+                type: string
+            results:
+              - description: Tekton task test output.
+                name: TEST_OUTPUT
+            steps:
+              - env:
+                  - name: SNYK_SECRET
+                    value: $(params.SNYK_SECRET)
+                  - name: ARGS
+                    value: $(params.ARGS)
+                image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc
+                name: sast-snyk-check
+                script: |
+                  #!/usr/bin/env bash
+                  set -euo pipefail
+                  . /utils.sh
+                  trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
+
+                  SNYK_TOKEN_PATH="/etc/secrets/snyk_token"
+
+                  if [ -f "${SNYK_TOKEN_PATH}" ] \u0026\u0026 [ -s "${SNYK_TOKEN_PATH}" ]; then
+                    # SNYK token is provided
+                    SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})"
+                    export SNYK_TOKEN
+                  else
+                    to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)'
+                    note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}"
+                    TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note")
+                    echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)"
+                    exit 0
+                  fi
+
+                  SNYK_EXIT_CODE=0
+                  SOURCE_CODE_DIR=$(workspaces.workspace.path)/source
+                  snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1\u003e\u00262\u003e\u003e stdout.txt || SNYK_EXIT_CODE=$?
+                  test_not_skipped=0
+                  SKIP_MSG="We found 0 supported files"
+                  grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$?
+
+                  if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then
+                    cat sast_snyk_check_out.json
+                    TEST_OUTPUT=
+                    parse_test_output $(context.task.name) sarif sast_snyk_check_out.json  || true
+
+                  # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation
+                  elif [[ "$test_not_skipped" -eq 0 ]]; then
+                    note="Task $(context.task.name) success: Snyk code test found zero supported files."
+                    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note")
+                  else
+                    echo "sast-snyk-check test failed because of the following issues:"
+                    cat stdout.txt
+                    note="Task $(context.task.name) failed: For details, check Tekton task log."
+                    ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note")
+                  fi
+                  echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
+                volumeMounts:
+                  - mountPath: /etc/secrets
+                    name: snyk-secret
+                    readOnly: true
+                workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
+            volumes:
+              - name: snyk-secret
+                secret:
+                  optional: true
+                  secretName: $(params.SNYK_SECRET)
+            workspaces:
+              - name: workspace
       - name: clamav-scan
         params:
           - name: image-digest