diff --git a/VERSION b/VERSION index 855f7029..7717884d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.25 \ No newline at end of file +1.0.26 \ No newline at end of file diff --git a/docs/AppBuildAndDeploy.md b/docs/AppBuildAndDeploy.md index 452eb676..f7baf6af 100644 --- a/docs/AppBuildAndDeploy.md +++ b/docs/AppBuildAndDeploy.md @@ -159,7 +159,8 @@ extends: sharedAcrConfig: #Mandatory: Object which contains configration for helm lint and build name: 'ssvadpinfcr3401' serviceConnection: 'AZD-ADP-SSV3' - snykConfig: #Optional: + snykConfig: #Mandatory: + snykScanEnabled: true #By default scan enabled snykConnection: 'Connection name' #Mandatory: Name of the connection in ADO snykOrganizationName: 'defra' #Mandatory: Name of snyk organization failOnThreshold: 'critical' #Mandatory: Threshold to fail the task if vulrarabilies identified diff --git a/templates/pipelines/common-app-ci.yaml b/templates/pipelines/common-app-ci.yaml index 35067ac3..f8b9a857 100644 --- a/templates/pipelines/common-app-ci.yaml +++ b/templates/pipelines/common-app-ci.yaml @@ -185,7 +185,7 @@ stages: - ${{ if ne(parameters.sonarConfig.sonarConnection, '') }}: - template: /templates/steps/sonar-analysis.yaml - - ${{ if ne(parameters.snykConfig.snykConnection, '') }}: + - ${{ if eq(parameters.snykConfig.snykScanEnabled, true) }}: - template: /templates/steps/security-scan-application.yaml parameters: snykConnection: ${{ parameters.snykConfig.snykConnection }} @@ -238,7 +238,7 @@ stages: failOnStandardError: false workingDirectory: '$(Pipeline.Workspace)/s' - - ${{ if ne(parameters.snykConfig.snykConnection, '') }}: + - ${{ if eq(parameters.snykConfig.snykScanEnabled, true) }}: - template: /templates/steps/security-scan-container.yaml parameters: snykConnection: ${{ parameters.snykConfig.snykConnection }} diff --git a/templates/steps/security-scan-application.yaml b/templates/steps/security-scan-application.yaml index d4036eb3..a600c273 100644 --- a/templates/steps/security-scan-application.yaml +++ b/templates/steps/security-scan-application.yaml @@ -13,6 +13,9 @@ parameters: default: '' - name: appBuildConfig type: object + - name: snykPolicyFilePath + type: string + default: './.snyk' steps: - ${{ each projectManifestPath in split(parameters.manifestPath, ';') }}: @@ -23,14 +26,16 @@ steps: testDirectory: '$(Build.SourcesDirectory)' failOnIssues: true monitorOnBuild: false + failOnThreshold: '${{ parameters.failOnThreshold }}' projectName: '${{ parameters.acrRepoName }}' organization: '${{ parameters.snykOrganizationName }}' + additionalArguments: '--policy-path=${{ parameters.snykPolicyFilePath }}' ${{ if eq(parameters.appBuildConfig.appFrameworkType, 'java') }}: testType: code codeSeverityThreshold: 'high' - ${{ else }}: - failOnThreshold: '${{ parameters.failOnThreshold }}' + ${{ else }}: + severityThreshold: ${{ parameters.failOnThreshold }} ${{ if ne(projectManifestPath, '') }}: - targetFile: '${{ projectManifestPath }}' + targetFile: '${{ projectManifestPath }}' enabled: true continueOnError: ${{ ne(variables['Build.Reason'], 'PullRequest') }} \ No newline at end of file diff --git a/templates/steps/security-scan-container.yaml b/templates/steps/security-scan-container.yaml index e2e90822..a3e39cd4 100644 --- a/templates/steps/security-scan-container.yaml +++ b/templates/steps/security-scan-container.yaml @@ -28,8 +28,9 @@ steps: monitorOnBuild: false failOnIssues: ${{ eq(variables['Build.Reason'], 'PullRequest') }} projectName: '${{ parameters.acrRepoName }}' - organization: '${{ parameters.snykOrganizationName }}' + organization: '${{ parameters.snykOrganizationName }}' failOnThreshold: '${{ parameters.failOnThreshold }}' + severityThreshold: ${{ parameters.failOnThreshold }} additionalArguments: '--policy-path=${{ parameters.snykPolicyFilePath }} --exclude-base-image-vulns' enabled: true continueOnError: ${{ ne(variables['Build.Reason'], 'PullRequest') }}