Configure an ImageVulnerabilityScan for Snyk
This topic gives you an example of how to configure a secret and ImageVulnerabilityScan (IVS) for Snyk.
Example Secret
This section contains a sample secret containing the Snyk API token, which authenticates your Snyk account. You must apply this once to your developer namespace.
ImportantFor the publicly available Snyk scanner CLI image, CLI commands and parameters used are accurate at the time of documentation.
apiVersion: v1
kind: Secret
metadata:
name: snyk-token
stringData:
snyk: |
{"api": "SNYK-API-TOKEN"}
Where SNYK-API-TOKEN is your Snyk API token obtained by following the instructions in the Snyk documentation. Do not encode this value in base64.
Example ImageVulnerabilityScan
This section contains a sample IVS that uses Snyk to scan a targeted image and push the results to the specified registry location. For information about the IVS specification, see Configuration options.
Sample IVS:
apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
name: snyk-ivs
annotations:
app-scanning.apps.tanzu.vmware.com/scanner-name: Snyk
spec:
image: TARGET-IMAGE
scanResults:
location: registry/project/scan-results
serviceAccountNames:
publisher: publisher
scanner: scanner
workspace:
bindings:
- name: snyk
secret:
secretName: snyk-token
items:
- key: snyk
path: configstore/snyk.json
steps:
- name: snyk
image: SNYK-SCANNER-IMAGE
env:
- name: XDG-CONFIG-HOME
value: /snyk
command: ["snyk","container","test",$(params.image),"--json-file-output=$(params.scan-results-path)/scan.json"]
onError: continue
- name: snyk2spdx # You will need to create your own image. See explanation below.
image: SNYK2SPDX-IMAGE
command: ["/bin/bash"]
args:
- "-c"
- |
set -e
cat $(params.scan-results-path)/scan.json | /app/bin/snyk2spdx --output=$(params.scan-results-path)/scan.spdx.json
Where:
TARGET-IMAGEis the image to be scanned. You must specify the digest.SNYK-SCANNER-IMAGEis the image containing the Snyk CLI. For example,snyk/snyk:golang. For information about publicly available Snyk images, see DockerHub. For more information about using the Snyk CLI, see the Snyk documentation.XDG-CONFIG-HOMEis the directory that contains your Snyk CLI configuration file,configstore/snyk.json, which is populated using thesnyk-tokensecret that you created. For more information, see the Snyk Config documentation.SNYK2SPDX-IMAGEis the image used to convert the Snyk CLI outputscan.jsonin thesnykstep to SPDX format, and insert the missingDOCUMENT DESCRIBESrelation. For more information, see the Snyk snyk2spdx repository in GitHub.
To use the sample:
- Clone the snyk2spdx repository.
-
Add the following Dockerfile to the root of the repository by running:
FROM node AS build RUN npm install -g typescript RUN npm install -g ts-node WORKDIR /build-dir ADD . . RUN npm install --legacy-peer-deps RUN npm run build && npm prune --json --omit=dev --legacy-peer-deps RUN npx [email protected] dist/index.js -r './dist/**/*.js' -t linux-x64-12.16.2 -o snyk2spdx-linux FROM paketobuildpacks/builder-jammy-base AS run COPY --from=build /build-dir/dist/ /app/dist/ COPY --from=build /build-dir/node_modules /app/node_modules COPY --from=build /build-dir/snyk2spdx-linux /app/bin/snyk2spdx ENTRYPOINT ["/app/bin/snyk2spdx"] CMD ["/app/bin/snyk2spdx"] -
Build and push the image to a registry. Replace
SNYK2SPDX-IMAGEwith the new image you built.The
snyk2spdxoutput does not conform to the verification process. Although the results might be ingested to the Tanzu Application Platform Metadata Store, VMware does not ensure the accuracy of the results.
NoteAfter detecting vulnerabilities, the Snyk image exits with Exit Code 1 and causes a failed scan task. You can ignore the step error by setting
onErrorand handling the error in a subsequent step. For instructions, see the Tekton documentation.
For information about setting up scanner credentials, see the Snyk CLI documentation.
