cpolzer
commented
1 year ago Hey Scotte,
also please think about including this into the basic snyk images. The biggest usecase probably is to use it in CI pipelines. And there the needed NPM install becomes a problem in case deprecated dependencies for example are somehow a problem, or globally installing npm packages on build agents.
Edit: thinking about that, it would be super nice if the azure devops extention would include installing the snyk-filters.
Why I have an interest in this: The problem is with the "snyk test" threshold, that it also filters out findings below that threshold. At least last time I checked with the azure devops extension.
I just implemented it as an Azure DevOps Pipeline Template, completely without javascript:
parameters:
- name: snyk_filter_config
type: string
default: '.snyk-filter/snyk.yml'
- name: snyk_report_json
type: string
default: '$(Agent.TempDirectory)/vuln-$(Build.BuildId).json'
steps:
- task: PythonScript@0
displayName: "👹 Vulnerability build breaker"
inputs:
scriptSource: 'inline'
script: |
import yaml
import subprocess
import sys
with open( '${{ parameters.snyk_filter_config }}' ) as file:
filter_config = yaml.load(file, Loader=yaml.FullLoader)
command = "cat ${{ parameters.snyk_report_json }}"
custom_filters = filter_config["customFilters"]
command = command + " | jq '%s | %s '" % (custom_filters["filter"], custom_filters["pass"])
print("##[info]", "Compiled filter command is: ", command)
count_filtered = subprocess.getoutput(command)
if int(count_filtered) > 0:
print("##vso[task.logissue type=error]", custom_filters["msg"])
print("##vso[task.complete result=Failed;]", custom_filters["msg"])
failOnStderr: true
package snyk-filter executable to the release assets section, as it is being done with other tools