This is a repository preconfigured to run the github actions workflows that drive a Snyk Sync import / synchronization of all the repositories in a given GitHub Organization (cloud or enterprise) into one or more Snyk Organizations.
Snyk Sync works by checking to see if all repositories from a list of Github orgs also exist in corressponding groups in Snyk. Sync checks each repo for a file at .snyk.d/import.yaml
the specifies which Snyk organization this repo and it's projects should be imported into.
This repository has a set of GitHub Actions that codeify the steps of performing a Sync:
- Combine the data set of existing Snyk Projects by Org and Repo (Target in Snyk) they come from with data collected from Github
- Generate a Targets file (snyk-sync targets sub command), a Diff of Repositories that do not have any projects in Snyk or if they do have projects, they aren't in the correct Organization (imported prior Snyk Sync or a
.snyk.d/import.yaml
file was added) - Use Snyk's snyk-api-import tool to perform the actual import of the repositories
- Run Sync again, to refresh and detect newly imported projects
- Perform a snyk-sync tags update command, adding any tags defined in the import.yaml files from the repositories, if they are missing
Below is an import.yaml file that would be used to ensure projects from multiple branches in a repo are imported into Snyk along with custom tags added:
---
schema: 2
orgName: cse-ownership
tags:
application: example
team: cse
branches:
- main
- development
-
Create a GitHub Access Token that contains the needed permissions for Snyk to import and add webhooks to Github repositories
repo (all), admin:read:org, and admin:repo_hooks (read & write)
-
Add a new GitHub Enterprise integration to an existing Snyk Organization that is the intended catch all organization.All projects from all repositories will end up in this organization unless otherwise specified via an import.yaml override.
- Disable All Disruptive Actions ensure all options on the GitHub Enterprise Integrations page are disabled, with the exception of "Auto-detect Dockerfiles"
- If you are a GitHub.com user, use
https://api.github.com
as the url - use the new GitHub Token you've just created
- Create a Snyk service account with Admin permissions. This needs to be Group level because Sync is expected to import repositories across organizations.
Create a new repository in Github called config-repo (or snyk-config-repo)
Clone this repository to a local machine, remove the the current origin and remove the current origin. The below steps is a quick and dirty way to do this (and to drop all the history from the development of this example repo)
git clone https://github.com/snyk-playground/config-repo
cd config-repo
rm -rf .git/*
git init .
git remote add origin git@github.com:my-org/snyk-config-repo.git
git add .
Ensure you have the SNYK_TOKEN and GITHUB_TOKEN environment variable setup on your workstation where the repo is checked out. This assumes you have docker running/working on your workstation.
Run the autoconf.sh script from the room of the repository, with the snyk org (as shortname/slug) you want to import repositories into followed by the github org you want to source the repositories from:
bash scripts/autoconf.sh snyk-org-slug github-org-name
This will replace the current snyk-sync.yaml and synk-orgs.yaml in the repository with ones pre-populated with values for your organization. Orgs are only added to snyk-orgs.yaml if they have a github-enterprise integration in place.
Edit snyk-sync.yaml:
- Replace "snyk-playground" under
github_orgs
with your github organization - Replace "36863d40-ba29-491f-af63-7a1a7d79e411" under
snyk:group:
with your Snyk Group ID (it is in your group settings page but also in your group pages:https://app.snyk.io/group/GROUP-ID/reports/
) - Replace "ie-playground" in
default:orgName
with the Snyk shortname (or slug) of the organization you want to have as default. It is the URL of an organization's page in Snyk:https://app.snyk.io/org/<org slug>
Edit snyk-orgs.yaml:
- Remove "cse-ownership" and everything below it
- Replace "ie-playground" with the slug of the default orgName
- Replace "39ddc762-b1b9-41ce-ab42-defbe4575bd6" under
orgId
with the ID from the org's settings page:https://app.snyk.io/org/<org slug>/manage/settings
- Replace "b87e1473-37ab-4f09-a4e3-a0139a50e81e" under
github-enterprise
with the ID from Snyk's GitHub Enterprise integration page:https://app.snyk.io/org/<org slug>/manage/integrations/github-enterprise
In your local environment you can perform a local test and this is reccomended before trying to perform a full import via GitHub Actions.
Set GITHUB_TOKEN
and SNYK_TOKEN
as environment variables and run scripts/test.sh
and the output should look like something below:
❯ bash scripts/test.sh
Sync forced, ignoring cache status
Sync starting
Getting all GitHub repos
Processing: [####################################] 100%
Scanning repos for import.yaml
Scanning: [####################################] 100%
Scanning Snyk for projects originating from GitHub Repos
Scanning: [####################################] 100%
Sync completed
Total Repos: 27
Writing targets to /runtime/import-targets.json
Write Successful
If you get Write Successful
, you've successfully setup the configuration for snyk sync to run. Skip to "Optional: Local Sync" if you want to perform a full local sync.
Depending on the size of the import-targets.json
created from the last step, it may take a long time for the import task to complete. If the total number of repos Sync scanned is more than 50, we suggest executing this locally first before having it run as a GitHub Action. To do that, run bash scripts/full-sync.sh
.
Once it completes, log in to the default Organization and check for projects under the GitHub Enterprise project filter.
Sync forced, ignoring cache status
Sync starting
Getting all GitHub repos
Processing: [####################################] 100%
Scanning repos for import.yaml
Scanning: [####################################] 100%
Scanning Snyk for projects originating from GitHub Repos
Scanning: [####################################] 100%
Sync completed
Total Repos: 27
Writing targets to /runtime/import-targets.json
Write Successful
Loaded 5 target(s) to import | Thu, 14 Oct 2021 19:53:48 GMT
Filtering out previously imported targets, this might be slow | Thu, 14 Oct 2021 19:53:48 GMT
Could not load previously imported targets file: imported-targets.log.
This could be because it doesn't exist or it is malformed. Either way continuing without checking for previously imported targets.
Checking status for import job id: e33e8ffe-4278-4522-8b01-5f4c80e0d07c
Checking status for import job id: 65e2d478-c814-4bc4-8c51-911f349d4ce4
Discovered 0 projects from import job id: 65e2d478-c814-4bc4-8c51-911f349d4ce4
Discovered 0 projects from import job id: e33e8ffe-4278-4522-8b01-5f4c80e0d07c
⚠ No projects imported!
Processed 5 out of a total of 5 targets
Check the logs for any failures located at: cache/log/*
Sync forced, ignoring cache status
Sync starting
Getting all GitHub repos
Processing: [####################################] 100%
Scanning repos for import.yaml
Scanning: [####################################] 100%
Scanning Snyk for projects originating from GitHub Repos
Scanning: [####################################] 100%
Sync completed
Total Repos: 27
Updating tags for projects
-
Following the instructions from GitHub to add repository secrets, add two encrypted secrets:
SNYK_TOKEN
that you created earlier as a service account andSNYK_GITHUB_TOKEN
which was the github token you created for the Snyk GitHub Enterprise integration. -
Commit and push these changes to the main branch of the repository
git commit -m "first commit"
git branch -M main
git push -u origin main
- From the "actions" tab of the repository select the "create-import-data" and select the "run workflow" option that appears to the right, choosing "branch:main"
- Reload the page and a new workflow should appear as running, select the workflow and view the logs, if it completes successfully, you should see that the repository how has a pull request.
- Merge the pull request labeled Updated Repo List
- Run a workflow again, this time selecting the "perform-import" workflow. This import may take some time if you did not perform a full sync locally first.