Create aws.yml #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Runs 4 Snyk Products (Code, Open Source, Container, IaC) | ||
| # Outputs the results to the pipeline | ||
| # Prerequisites: | ||
| # - Set a SNYK_TOKEN in the pipelines secrets | ||
| # - Install the HTML viewer extension | ||
| # https://marketplace.visualstudio.com/items?itemName=JakubRumpca.azure-pipelines-html-report | ||
| # NOTE: Change this to a different pool to run the scripts. | ||
| pool: sebsnyk.pool | ||
| steps: | ||
| - checkout: self | ||
| # .. your instructions on building the app or preparing the repository | ||
| # install & prepare snyk | ||
| - script: | | ||
| npm install -g snyk snyk-to-html | ||
| # This OPTIONAL step will configure the Snyk CLI to connect to the EU or AU instance of Snyk. | ||
| # Docs: https://docs.snyk.io/more-info/data-residency-at-snyk#cli-and-ci-pipelines-urls | ||
| # snyk config set endpoint='https://app.eu.snyk.io/api' | ||
| # snyk config set endpoint='https://app.au.snyk.io/api' | ||
| snyk auth $(SNYK_TOKEN) | ||
| # explicitly allow scripts to continue if errors occur | ||
| set +e | ||
| displayName: 'snyk install & auth' | ||
| # snyk code | ||
| - script: | | ||
| snyk code test --severity-threshold=high | ||
| RESULT=$? | ||
| snyk-to-html -o $(Build.ArtifactStagingDirectory)/results-code.html < results.sarif | ||
| exit $RESULT | ||
| continueOnError: false | ||
| displayName: 'snyk code' | ||
| # snyk open source | ||
| - script: | | ||
| snyk test --severity-threshold=critical | ||
| RESULT=$? | ||
| snyk-to-html -o $(Build.ArtifactStagingDirectory)/results-open-source.html < results.json | ||
| exit $RESULT | ||
| continueOnError: false | ||
| displayName: 'snyk open source' | ||
| # snyk container | ||
| # NOTE: Change the image name | ||
| - script: | | ||
| snyk container test --severity-threshold=critical | ||
| RESULT=$? | ||
| snyk-to-html -o $(Build.ArtifactStagingDirectory)/results-container.html < results.json | ||
| exit $RESULT | ||
| continueOnError: false | ||
| displayName: 'snyk container' | ||
| # snyk iac | ||
| - script: | | ||
| snyk iac test --severity-threshold=critical | ||
| RESULT=$? | ||
| snyk-to-html -o $(Build.ArtifactStagingDirectory)/results-iac.html < results.json | ||
| exit $RESULT | ||
| continueOnError: false | ||
| displayName: 'snyk iac' | ||
| - task: PublishHtmlReport@1 | ||
| condition: succeededOrFailed() | ||
| inputs: | ||
| reportDir: $(Build.ArtifactStagingDirectory)/results-code.html | ||
| tabName: 'Snyk Code' | ||
| - task: PublishHtmlReport@1 | ||
| condition: succeededOrFailed() | ||
| inputs: | ||
| reportDir: $(Build.ArtifactStagingDirectory)/results-open-source.html | ||
| tabName: 'Snyk Open Source' | ||
| - task: PublishHtmlReport@1 | ||
| condition: succeededOrFailed() | ||
| inputs: | ||
| reportDir: $(Build.ArtifactStagingDirectory)/results-container.html | ||
| tabName: 'Snyk Container' | ||
| - task: PublishHtmlReport@1 | ||
| condition: succeededOrFailed() | ||
| inputs: | ||
| reportDir: $(Build.ArtifactStagingDirectory)/results-iac.html | ||
| tabName: 'Snyk IaC' | ||
| - task: PublishBuildArtifacts@1 | ||
| inputs: | ||
| pathToPublish: '$(Build.ArtifactStagingDirectory)' | ||
| artifactName: Snyk Reports | ||
