This topic gives you an example of how to configure a secret and ImageVulnerabilityScan (IVS) for Snyk.
Important For the publicly available Snyk scanner CLI image, CLI commands and parameters used are accurate at the time of documentation.
This section contains a sample secret containing the Snyk API token, which authenticates your Snyk account. You must apply this once to your developer namespace.
apiVersion: v1
kind: Secret
metadata:
name: snyk-token
stringData:
snyk: |
{"api": "SNYK-API-TOKEN"}Where:
SNYK-API-TOKENis your Snyk API token obtained by following the instructions in the Snyk documentation. Do not base64 encode this value.
This section contains a sample IVS that uses Snyk to scan a targeted image and push the results to the specified registry location. For information about the IVS specification, see Configuration Options.
apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
name: snyk-ivs
annotations:
app-scanning.apps.tanzu.vmware.com/scanner-name: Snyk
spec:
image: TARGET-IMAGE
scanResults:
location: registry/project/scan-results
serviceAccountNames:
publisher: publisher
scanner: scanner
workspace:
bindings:
- name: snyk
secret:
secretName: snyk-token
items:
- key: snyk
path: configstore/snyk.json
steps:
- name: snyk
image: SNYK-SCANNER-IMAGE
env:
- name: XDG-CONFIG-HOME
value: /snyk
command: ["snyk","container","test",$(params.image),"--json-file-output=$(params.scan-results-path)/scan.json"]
onError: continue
- name: snyk2spdx # You will need to create your own image. See explanation below.
image: SNYK2SPDX-IMAGE
command: ["/bin/bash"]
args:
- "-c"
- |
set -e
cat $(params.scan-results-path)/scan.json | /app/bin/snyk2spdx --output=$(params.scan-results-path)/scan.spdx.jsonWhere:
-
TARGET-IMAGEis the image to be scanned. You must specify the digest. -
SNYK-SCANNER-IMAGEis the image containing the Snyk CLI. For example,snyk/snyk:golang. For information about publicly available Snyk images, see DockerHub. For more information about using the Snyk CLI, see the Snyk documentation. -
XDG-CONFIG-HOMEis the directory that contains your Snyk CLI config file,configstore/snyk.json, which is populated using the snyk-tokenSecretyou created. For more information, see the Snyk Config documentation. -
SNYK2SPDX-IMAGEis the image used to convert the Snyk CLI outputscan.jsonin thesnykstep to SPDX format and have its missingDOCUMENT DESCRIBESrelation inserted. See the Snyk snyk2spdx repository in GitHub. To do this:-
Clone the snyk2spdx repository.
-
Add the following Dockerfile to the root of the repository:
-
Build and push the image to a registry. Replace
SNYK2SPDX-IMAGEwith the new image you built.
Note The
snyk2spdxoutput does not conform to the verification process. Although the results might be ingested to the Tanzu Application Platform metadata store, VMware does not ensure the accuracy of the results. -
Note After detecting vulnerabilities, the Snyk image exits with Exit Code 1 and causes a failed scan task. You can ignore the step error by setting
onErrorand handling the error in a subsequent step. For instructions, see the Tekton documentation.
For information about setting up scanner credentials, see the Snyk CLI documentation.