Skip to content

Latest commit

 

History

History
59 lines (44 loc) · 2.89 KB

README.md

File metadata and controls

59 lines (44 loc) · 2.89 KB

Use Snyk to test your configuration files

Author: Shai Mendel

Snyk is a product to help developers to continuously find and fix vulnerabilities in open source libraries, containers and Infrastructure as Code configurations.

Requirements

Usage

The extension takes a number of arguments:

name: a name for the resource. Useful for labeling when running multiple tests. Defaults to 'snyk' target: path to the file/dir or container image name:tag to test test_type: one of 'oss', 'container', or 'iac' corresponding to the various Snyk CLI tests test_deps: automatically set for test types other than container, allows for setting an external file/dir dependency extra_opts: additional CLI options; appended to the snyk command. see snyk --help for usage. - when using the container switch this is where to insert the '--file=path/to/Dockerfile' option trigger: trigger mode - auto or manual, defaults to manual mode: control Snyk exit code, info will always exit 0 - gate or info, defaults to gate

The snyk extension can be run in a variety of different ways:

# Load the extension
load('ext://snyk', 'snyk')

# Scan Kubernetes YAML files - in this case manually triggered and in informational-only mode
snyk('kubernetes.yaml', 'iac', 'snyk-iac-manual', mode='info')

# Scan application code dependencies - in this case automatically on change and in gating mode
snyk('.', 'oss', 'snyk-oss-auto', mode='gate', trigger='auto')

# Manually scan Docker builds
# Set mutable tags for the initial build, Tilt will re-tag with immutable during deploy
custom_build('example-nodejs-image', 'docker build -t $EXPECTED_REF .', ['.'], tag='dev')
# Run snyk manually against the mutable tag, in informational mode, and also scan a Dockerfile in the same directory
snyk('example-nodejs-image:dev', 'container', 'snyk-cnr-manual', mode='info', extra_opts='--file=Dockerfile')

# Automatically scan Docker builds
# Extract the immutable tag on build and write to a file in the filesystem
custom_build('example-nodejs-image', 'docker build -t $EXPECTED_REF . && echo $EXPECTED_REF > /tmp/ref.txt', ['.'])
# Extract the tag from the file and strip any newlines
def get_tag():
    return str(read_file('/tmp/ref.txt')).rstrip('\n')    
# Run snyk automatically in informational mode when the file containing the tag changes
snyk(get_tag(), 'container', 'snyk-cnr-auto', test_deps='/tmp/ref.txt', mode='info', extra_opts='--file=Dockerfile', trigger='auto')

k8s_yaml('kubernetes.yaml')
k8s_resource('example-node.js',
    port_forwards=8000
)