426535: snyk scan threshold (#147)

VERSION

@@ -1 +1 @@
-1.0.25
+1.0.26

docs/AppBuildAndDeploy.md

@@ -159,7 +159,8 @@ extends:
     sharedAcrConfig:                                        #Mandatory: Object which contains configration for helm lint and build
       name: 'ssvadpinfcr3401'
       serviceConnection: 'AZD-ADP-SSV3'
-    snykConfig:                                             #Optional: 
+    snykConfig:                                             #Mandatory: 
+      snykScanEnabled: true                                 #By default scan enabled
       snykConnection: 'Connection name'                     #Mandatory: Name of the connection in ADO
       snykOrganizationName: 'defra'                         #Mandatory: Name of snyk organization
       failOnThreshold: 'critical'                           #Mandatory: Threshold to fail the task if vulrarabilies identified

templates/pipelines/common-app-ci.yaml

@@ -185,7 +185,7 @@ stages:
           - ${{ if ne(parameters.sonarConfig.sonarConnection, '') }}:
             - template: /templates/steps/sonar-analysis.yaml
 
-          - ${{ if ne(parameters.snykConfig.snykConnection, '') }}:
+          - ${{ if eq(parameters.snykConfig.snykScanEnabled, true) }}:
             - template: /templates/steps/security-scan-application.yaml
               parameters:
                 snykConnection: ${{ parameters.snykConfig.snykConnection }}
@@ -238,7 +238,7 @@ stages:
               failOnStandardError: false
               workingDirectory: '$(Pipeline.Workspace)/s'
 
-          - ${{ if ne(parameters.snykConfig.snykConnection, '') }}:
+          - ${{ if eq(parameters.snykConfig.snykScanEnabled, true) }}:
             - template: /templates/steps/security-scan-container.yaml
               parameters:
                 snykConnection: ${{ parameters.snykConfig.snykConnection }}

templates/steps/security-scan-application.yaml

@@ -13,6 +13,9 @@ parameters:
     default: ''         
   - name: appBuildConfig
     type: object
+  - name: snykPolicyFilePath
+    type: string
+    default: './.snyk'    
 
 steps:
 - ${{ each projectManifestPath in split(parameters.manifestPath, ';') }}:
@@ -23,14 +26,16 @@ steps:
       testDirectory: '$(Build.SourcesDirectory)'      
       failOnIssues: true
       monitorOnBuild: false
+      failOnThreshold: '${{ parameters.failOnThreshold }}'
       projectName: '${{ parameters.acrRepoName }}'
       organization: '${{ parameters.snykOrganizationName }}'
+      additionalArguments: '--policy-path=${{ parameters.snykPolicyFilePath }}'
       ${{ if eq(parameters.appBuildConfig.appFrameworkType, 'java') }}:
         testType: code
         codeSeverityThreshold: 'high'
-      ${{ else  }}:        
-        failOnThreshold: '${{ parameters.failOnThreshold }}'
+      ${{ else  }}:
+        severityThreshold: ${{ parameters.failOnThreshold }}
         ${{ if ne(projectManifestPath, '') }}:
-          targetFile: '${{ projectManifestPath }}'        
+          targetFile: '${{ projectManifestPath }}'
     enabled: true
     continueOnError: ${{ ne(variables['Build.Reason'], 'PullRequest') }}

templates/steps/security-scan-container.yaml

@@ -28,8 +28,9 @@ steps:
     monitorOnBuild: false
     failOnIssues: ${{ eq(variables['Build.Reason'], 'PullRequest') }}
     projectName: '${{ parameters.acrRepoName }}'
-    organization: '${{ parameters.snykOrganizationName }}'    
+    organization: '${{ parameters.snykOrganizationName }}'
     failOnThreshold: '${{ parameters.failOnThreshold }}'
+    severityThreshold: ${{ parameters.failOnThreshold }}
     additionalArguments: '--policy-path=${{ parameters.snykPolicyFilePath }} --exclude-base-image-vulns'
   enabled: true
   continueOnError: ${{ ne(variables['Build.Reason'], 'PullRequest') }}