Add snyk-scan and report to Kosli

cyber-dojo · Sep 16, 2023 · 0b9a792 · 0b9a792
1 parent 693f5b3
commit 0b9a792
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 20 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -7,17 +7,18 @@ on:
 
 jobs:
   pre-build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
 
   build-test-push:
     needs: [pre-build]
-    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_build_test_push_dockerhub.yml@main
+    uses: cyber-dojo/reusable-actions-workflows/.github/workflows/kosli_build_test.yml@main
     secrets:
       DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
       DOCKER_USER: ${{ secrets.DOCKER_USER }}
       KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
     with:
       BUILD_COMMAND: build_test_publish.sh
       KOSLI_FLOW: docker-base

diff --git a/.snyk b/.snyk
diff --git a/build_test_publish.sh b/build_test_publish.sh
@@ -11,4 +11,4 @@ tag_image
 on_ci_publish_tagged_image
 on_ci_kosli_create_flow
 on_ci_kosli_report_artifact
-#on_ci_kosli_report_snyk_evidence
+on_ci_kosli_report_snyk_evidence
diff --git a/sh/kosli.sh b/sh/kosli.sh
@@ -1,22 +1,24 @@
 #!/usr/bin/env bash
 set -Eeu
 
+export KOSLI_FLOW=docker-base
+
 # KOSLI_ORG is set in CI
 # KOSLI_API_TOKEN is set in CI
-# KOSLI_FLOW is set in CI
 # KOSLI_HOST_STAGING is set in CI
 # KOSLI_HOST_PRODUCTION is set in CI
+# SNYK_TOKEN is set in CI
 
 # - - - - - - - - - - - - - - - - - - -
 kosli_create_flow()
 {
   local -r hostname="${1}"
 
   kosli create flow "${KOSLI_FLOW}" \
-    --description "Docker base image" \
-    --host "${hostname}" \
-    --template artifact,snyk-scan \
-    --visibility public
+    --description="Docker base image" \
+    --host="${hostname}" \
+    --template=artifact,snyk-scan \
+    --visibility=public
 }
 
 # - - - - - - - - - - - - - - - - - - -
@@ -25,9 +27,9 @@ kosli_report_artifact_creation()
   local -r hostname="${1}"
 
   kosli report artifact "$(artifact_name)" \
-      --artifact-type docker \
-      --host "${hostname}" \
-      --repo-root "${REPO_ROOT}"
+      --artifact-type=docker \
+      --host="${hostname}" \
+      --repo-root="${REPO_ROOT}"
 }
 
 # - - - - - - - - - - - - - - - - - - -
@@ -36,10 +38,10 @@ kosli_report_snyk_evidence()
   local -r hostname="${1}"
 
   kosli report evidence artifact snyk "$(artifact_name)" \
-      --artifact-type docker \
-      --host "${hostname}" \
-      --name snyk-scan \
-      --scan-results snyk.json
+      --artifact-type=docker \
+      --host="${hostname}" \
+      --name=snyk-scan \
+      --scan-results="$(repo_root)/snyk.json"
 }
 
 # - - - - - - - - - - - - - - - - - - -
@@ -48,8 +50,8 @@ kosli_assert_artifact()
   local -r hostname="${1}"
 
   kosli assert artifact "$(artifact_name)" \
-      --artifact-type docker \
-      --host "${hostname}"
+      --artifact-type=docker \
+      --host="${hostname}"
 }
 
 # - - - - - - - - - - - - - - - - - - -
@@ -80,10 +82,11 @@ on_ci_kosli_report_artifact()
 on_ci_kosli_report_snyk_evidence()
 {
   if on_ci; then
+    set +e
     snyk container test "$(artifact_name)" \
-      --file="${REPO_ROOT}/app/Dockerfile" \
-      --json-file-output=snyk.json \
-      --policy-path=.snyk
+      --json-file-output="$(repo_root)/snyk.json" \
+      --policy-path="$(repo_root)/.snyk"
+    set -e
 
     kosli_report_snyk_evidence "${KOSLI_HOST_STAGING}"
     kosli_report_snyk_evidence "${KOSLI_HOST_PRODUCTION}"
@@ -99,5 +102,10 @@ on_ci_kosli_assert_artifact()
   fi
 }
 
+# - - - - - - - - - - - - - - - - - - -
+repo_root()
+{
+  git rev-parse --show-toplevel
+}