diff --git a/.tekton/sync2jira-pull-request.yaml b/.tekton/sync2jira-pull-request.yaml index 6fd0bd61..21d6c3fc 100644 --- a/.tekton/sync2jira-pull-request.yaml +++ b/.tekton/sync2jira-pull-request.yaml @@ -325,15 +325,6 @@ spec: - name: sast-snyk-check runAfter: - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:422177f6fffa55284a30ddc4a26dca1462aee34a479529b9e2b52a5bb39606a4 - - name: kind - value: task - resolver: bundles when: - input: $(params.skip-checks) operator: in @@ -342,6 +333,92 @@ spec: workspaces: - name: workspace workspace: workspace + taskSpec: + apiVersion: tekton.dev/v1 + kind: Task + metadata: + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: appstudio, hacbs + labels: + app.kubernetes.io/version: "0.1" + name: sast-snyk-check + spec: + description: Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. + params: + - default: snyk-secret + description: Name of secret which contains Snyk token. + name: SNYK_SECRET + - default: --all-projects --exclude=test*,vendor,deps + description: Append arguments. + name: ARGS + type: string + results: + - description: Tekton task test output. + name: TEST_OUTPUT + steps: + - env: + - name: SNYK_SECRET + value: $(params.SNYK_SECRET) + - name: ARGS + value: $(params.ARGS) + image: quay.io/redhat-appstudio/hacbs-test:v1.3.0@sha256:cd4601a7d71ebd908046db7a9b7010611b8b372fe941664d5163c81250a1a1fc + name: sast-snyk-check + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + + SNYK_TOKEN_PATH="/etc/secrets/snyk_token" + + if [ -f "${SNYK_TOKEN_PATH}" ] \u0026\u0026 [ -s "${SNYK_TOKEN_PATH}" ]; then + # SNYK token is provided + SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})" + export SNYK_TOKEN + else + to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)' + note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}" + TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi + + SNYK_EXIT_CODE=0 + SOURCE_CODE_DIR=$(workspaces.workspace.path)/source + snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1\u003e\u00262\u003e\u003e stdout.txt || SNYK_EXIT_CODE=$? + test_not_skipped=0 + SKIP_MSG="We found 0 supported files" + grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? + + if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then + cat sast_snyk_check_out.json + TEST_OUTPUT= + parse_test_output $(context.task.name) sarif sast_snyk_check_out.json || true + + # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation + elif [[ "$test_not_skipped" -eq 0 ]]; then + note="Task $(context.task.name) success: Snyk code test found zero supported files." + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + else + echo "sast-snyk-check test failed because of the following issues:" + cat stdout.txt + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + fi + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + volumeMounts: + - mountPath: /etc/secrets + name: snyk-secret + readOnly: true + workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + volumes: + - name: snyk-secret + secret: + optional: true + secretName: $(params.SNYK_SECRET) + workspaces: + - name: workspace - name: clamav-scan params: - name: image-digest