Search This Blog

Thursday, 23 December 2021

Find and fix vulnerabilities in your CI/CD pipeline with Snyk and Harness

Integrating the Snyk developer-focused security platform into Harness’ unified delivery pipeline workflow ensures security and compliance testing is part of every release. This allows you to prevent applications with vulnerable dependencies and code from making their way into production. With modern tooling like Snyk and Harness, you can find, fix, and remediate through a CI/CD pipeline and mitigate the risk to the business without affecting your ability to release software quickly.

Created a new Snyk Blog with the harness team as per the link below.

https://snyk.io/blog/find-fix-vulnerabilities-ci-cd-pipeline-snyk-harness/

Monday, 1 November 2021

Using harness CI to run a series of Snyk Tests

 When DevOps emerged more than 10 years ago, the main focus was to bridge the gaps between Dev and Ops teams by introducing automation to the processes of building, testing and deployment of applications.

As development teams continue to deliver more rapidly and more frequently, security teams are finding it difficult to keep up and often end up being the bottleneck in the delivery pipeline. For this reason, bringing security early into the DevOps process from the outset – in other words, embracing a DevSecOps culture within a business – has become increasingly important.


Applications have changed as cloud-native technologies like Containers, Kubernetes, and the use of Infrastructure as Code technologies like Terraform, Cloudformation, ARM templates are now the norm. These elements are now built and customized by developers and live in their Source Code Management repositories.


In this demo below I show you how Harness CI along with Snyk can help setup a DevSecOps Pipeline well before we even think about deployment.


Steps


Note: We are using the public GitHub repo below


https://github.com/papicella/springbootemployee-api


1. First we need to identify our user token within Snyk. For enterprise customers you can setup service accounts and retrieve a token which we will require later. For non enterprise Snyk accounts you can just use the main User Token. Both methods of how to obtain this are defined below.


Service Accounts

https://docs.snyk.io/features/integrations/managing-integrations/service-accounts


For those without access to service accounts you can obtain your Snyk user Token as follows

https://docs.snyk.io/features/snyk-cli/install-the-snyk-cli/authenticate-the-cli-with-your-account


2. In harness let's define a few secrets one being our Snyk Token we retrieved in step 1, also my GitHub token



3. Our builds need to run somewhere in this example we are using a connector to our K8s cluster which is defined at the "Organization" level within Harness





4. Our first execution step is simply going to package the application. Our Spring Boot application is using maven and has a single pom.xml file. Notice below that we have to use a Docker connector for a "Build-> Run" step , here I am using an account level Docker connector




5. Now we can run our first Snyk Test. In this simple example we don't fail the build at all and ensure we pass a SUCCESS exit code for our Snyk Open Source test which will pick up the one and only pom.xml file in the repo. I am also using Snyk Docker image that includes the Snyk CLI and Maven to perform this test.





6. So jumping right ahead let's quickly take a look at our other 3 tests.


Snyk Code Test



Snyk IaC test




Snyk Container Test




In all these Snyk Tests we ensure nothing fails instead we just report on vulnerabilities. WE could also set our severity threshold as part of our tests as shown below.


--severity-threshold=medium


https://docs.snyk.io/features/snyk-cli/test-for-vulnerabilities/set-severity-thresholds-for-cli-tests


7. In order to run the container test we had to build our container image which was done using a "Build and push image to Dockerhub" step as shown below



8. Now after running a few builds our Overview page on Harness UI nicely summarises what has passed versus what has failed for us.



9. Finally we can view each build as follows






Sample Images


Overview Page



Infrastructure Page - Here we define where are harness delegate running in a K8s cluster which is just one of the options here when it comes to a worker node for the pipeline steps we run



Execution Page - here we define four seperate tests.

  • Snyk Open Source Test
  • Snyk Code Test
  • Snyk IaC Test
  • Snyk Container Test



Pipeline Result Page




For those that wish to see the whole pipeline YAML here it is below:


pipeline: name: employee-api-pipeline identifier: employeeapipipeline projectIdentifier: Springboot_Employee_API orgIdentifier: default tags: {} properties: ci: codebase: connectorRef: pasgithub repoName: springbootemployee-api build: <+input> stages: - stage: name: build employee api identifier: build_employee_api description: "" type: CI spec: cloneCodebase: true infrastructure: type: KubernetesDirect spec: connectorRef: org.GKE namespace: harness-builds execution: steps: - step: type: Run name: Package Application identifier: Package_Application spec: connectorRef: account.harnessImage image: maven:3.8.3-openjdk-11-slim command: mvn -DskipTests -Dsnyk.skip package privileged: false - step: type: Run name: snyk test identifier: snyk_test spec: connectorRef: account.harnessImage image: snyk/snyk-cli:1.745.0-maven-3.5.4 command: |- SNYK_TOKEN=<+secrets.getValue("SNYK_TOKEN")> snyk config set api=$SNYK_TOKEN snyk test || true privileged: false failureStrategies: [] - step: type: Run name: snyk code test identifier: snyk_code_test spec: connectorRef: account.harnessImage image: snyk/snyk-cli:1.745.0-maven-3.5.4 command: |- SNYK_TOKEN=<+secrets.getValue("SNYK_TOKEN")> snyk config set api=$SNYK_TOKEN snyk code test || true privileged: false when: stageStatus: Success failureStrategies: [] - step: type: Run name: snyk IaC test identifier: snyk_IaC_test spec: connectorRef: account.harnessImage image: snyk/snyk-cli:1.745.0-maven-3.5.4 command: |- SNYK_TOKEN=<+secrets.getValue("SNYK_TOKEN")> snyk config set api=$SNYK_TOKEN snyk iac test ./employee-K8s.yaml || true privileged: false when: stageStatus: Success failureStrategies: [] - step: type: BuildAndPushDockerRegistry name: Build Container identifier: Build_Container spec: connectorRef: pasdockerhub repo: pasapples/springbootemployee tags: - harness dockerfile: Dockerfile.harness optimize: true - step: type: Run name: snyk container test identifier: snyk_container_test spec: connectorRef: pasdockerhub image: snyk/snyk-cli:1.745.0-maven-3.5.4 command: |- SNYK_TOKEN=<+secrets.getValue("SNYK_TOKEN")> snyk config set api=$SNYK_TOKEN snyk container test pasapples/springbootemployee:harness || true privileged: false resources: limits: memory: 2048Mi variables: []



More Information


Snyk

https://snyk.io


Harness

https://harness.io/

Wednesday, 15 September 2021

Using Buildkite to perform Snyk Open Source and Snyk Code (SAST) tests

Buildkite is a platform for running fast, secure, and scalable continuous integration pipelines on your own infrastructure. In the example below I will run my Buildkite pipeline on my Macbook to perform two Snyk Tests, one for Open-Source dependancies and the other a SAST test of the code itself.

Snyk is an open source security platform designed to help software-driven businesses enhance developer security.

You will need an account on Snyk and Buildkite to follow the steps below.

Steps

1. First in Snyk let's create a Service Account which will be the Snyk token I will use to authenticate with. You can use the Snyk API Token but the service account is all you need to run "Snyk Tests" so makes sense to use that.


2. Next let's store that Service Account token somewhere where I can safely inject that into my pipeline at the appropriate step. In this example I am using "Google Secret Manager" but there are other choices of course.


Note: We will be using the secret NAME shortly "PAS_BUILDKITE_SA_SNYK_TOKEN"

3. You will need a Buildkite agent on your local Infrastructure in my case I using my Macbook so that's done as follows

https://buildkite.com/docs/agent/v3/macos 

pasapicella@192-168-1-113:~/demos/integrations/buildkite$ ./start-agent.sh

   _           _ _     _ _    _ _                                _
  | |         (_) |   | | |  (_) |                              | |
  | |__  _   _ _| | __| | | ___| |_ ___    __ _  __ _  ___ _ __ | |_
  | '_ \| | | | | |/ _` | |/ / | __/ _ \  / _` |/ _` |/ _ \ '_ \| __|
  | |_) | |_| | | | (_| |   <| | ||  __/ | (_| | (_| |  __/ | | | |_
  |_.__/ \__,_|_|_|\__,_|_|\_\_|\__\___|  \__,_|\__, |\___|_| |_|\__|
                                                 __/ |
 https://buildkite.com/agent                    |___/

2021-09-15 11:09:33 NOTICE Starting buildkite-agent v3.32.3 with PID: 50130
2021-09-15 11:09:33 NOTICE The agent source code can be found here: https://github.com/buildkite/agent
2021-09-15 11:09:33 NOTICE For questions and support, email us at: hello@buildkite.com
2021-09-15 11:09:33 INFO   Configuration loaded path=/usr/local/etc/buildkite-agent/buildkite-agent.cfg
2021-09-15 11:09:33 INFO   Registering agent with Buildkite...
2021-09-15 11:09:35 INFO   Successfully registered agent "y.y.y.y.tpgi.com.au-1" with tags []
2021-09-15 11:09:35 INFO   Starting 1 Agent(s)
2021-09-15 11:09:35 INFO   You can press Ctrl-C to stop the agents

4. You're now ready to create a pipeline. A pipeline is a template of the steps you want to run. There are many types of steps, some run scripts, some define conditional logic, and others wait for user input. When you run a pipeline, a build is created. Each of the steps in the pipeline end up as jobs in the build, which then get distributed to available agents.

In the example below our pipeline is created from a GitHub repo and then select the default branch. At that point incoming webhooks are sent to Buildkite by source control providers (GitHub, GitLab, Bitbucket, etc.) to trigger builds, in this scenario we using GitHub


5. Let's go ahead and actually just edit the build steps using YAML. My final YAML is as follows and I explain below why it looks this way but in short I just want to run two snyk tests rather then actually deploy anything for this demo.

steps:
  - commands:
      - "snyk config set api=$$SNYK_SA_TOKEN_VAR"
      - "snyk test --severity-threshold=$$SEVERITY_THRESHOLD"
      - "snyk code test --org=$$SNYK_ORG"
    plugins:
      - avaly/gcp-secret-manager#v1.0.0:
          credentials_file: /Users/pasapicella/snyk/clouds/gcp/buildkite-secrets-gcp.json
          env:
            SNYK_SA_TOKEN_VAR: PAS_BUILDKITE_SA_SNYK_TOKEN
    env:
      SEVERITY_THRESHOLD: "critical"
      SNYK_ORG: "pas.apicella-41p"
    label: "Employee API Snyk Test"

Few things to note here:

  • I am using a GCP secret manager plugin to retrieve my Snyk SA token with a name as follows "PAS_BUILDKITE_SA_SNYK_TOKEN"
  • I am using a Google Service Account JSON so I can authenticate with GCP and retrieve my secret "SNYK_SA_TOKEN_VAR", you will need to use a Service Account with privileges to at least READ from Google Secret Manager
  • I am using some local non sensitive ENV variables which get used at the appropriate time
  • I have three commands of which the first command sets my Snyk API token for the Snyk CLI
  • I have not installed the Snyk CLI because it already exists on my Macbook 
  • I am only looking for my Snyk tests to fail if it finds any CRITICAL issues only
  • I should be running a "mvn package" here but I can still execute a "snyk test" without it for demo purposes as we have a pom..xml
  • I could also build a container in the pipeline from the source code and then run a "snyk container test" as well, in fact I could even run "snyk iac test" against any IaC files in the repo as well
  • If a test fails we can easily run "snyk monitor" to load the results into the Snyk App but for this demo we don't do that

6. Now we can manually run a build or wait for triggering event on our repo, here is some screen shots of what it looks like including some failures where we find vulnerabilities in a separate node.js repo





 

It makes more sense to create a Buildkite plugin for Snyk rather than execute commands using a script and here is an example of one below. Having said that the commands you run to execute a "snyk test" are simple enough to include in the pipeline YML without the need for a plugin here especially if you have infrastructure already setup with the ability to run the "snyk cli". A plugin would be the right approach here though as per the example below.

https://github.com/seek-oss/snyk-buildkite-plugin


Hopefully you have seen how easy it is to continuously avoid known vulnerabilities in your dependencies and code, by integrating Snyk into your continuous integration pipeline with Buildkite.

More Information

Snyk

Monday, 30 August 2021

Using the Elastic Snyk module to visualize Snyk imported project data with Elastic Kibana

Snyk is an open source security platform designed to help software-driven businesses enhance developer security

Elastic (ELK) stack is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. 

In this blog we will use Elastic to visualize our vulnerability data from Snyk using the Elastic Snyk Module

This module is used for ingesting data from the different Snyk API Endpoints. Currently supports these filesets:
  • vulnerabilities fileset: Collects all found vulnerabilities for the related organizations and projects
  • audit fileset: Collects audit logging from Snyk, this can be actions like users, permissions, groups, api access and more.
When you run the module, it performs a few tasks under the hood:
  • Sets the default paths to the log files (but don’t worry, you can override the defaults)
  • Makes sure each multiline log event gets sent as a single event
  • Uses ingest node to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana

Here is how to get started with this currently BETA module

Steps 

1. First you will need an account on Snyk App and have imported a few projects so you have some vulnerability data to get started with. Here is an example of some imported projects which already exist in my Snyk App Account.


2. You will need an Elastic Cluster best way to get one of those if you don't have one is to head to the Elastic Cloud Service for a free trial

3. Next we need to install Elastic Filebeat. The quick start guide here is the best way to do that

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

Couple of things here

  • You need to run this command to enable the snyk module as shown below. In this example the module is already enabled so the output would differ the first time you run this.

$ ./filebeat modules enable snyk
Module snyk is already enabled

  • Make sure you have configured connectivity to your Elastic Cluster as per the doc above. The example below is for the Elastic Cloud Service itself.

cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "filebeat_setup:YOUR_PASSWORD"

4. With Elastic Filebeat installed and configured now we can setup the Snyk module to do that we perform the following.

Edit "./modules.d/snyk.yml

The following link shows how to configure the snyk.yml file and what settings are available

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-snyk.html

Example Config to get started with: 

- module: snyk
  audit:
    enabled: true
    var.input: httpjson
    var.audit_type: organization
    var.audit_id: SNYK_ORG_ID
    var.interval: 1h
    var.api_token: SNYK_API_TOKEN
    var.first_interval: 30d

  vulnerabilities:
    enabled: true
    var.interval: 1h
    var.first_interval: 30d
    var.api_token: SNYK_API_TOKEN
    var.orgs:
      - SNYK_ORG_ID_1
      - SNYK_ORG_ID_2

Note: In this example we are obtaining data from 2 organizations

You obtain your ORG_ID's and SNYK_TOKEN_ID from Snyk App as shown below

Account Settings -> General



Settings -> General -> Organization ID (For each orgnization you wish to use)
 


5. At this point we can start Elastic Filebeat as shown below.

$ ./filebeat -e
...
2021-08-30T14:23:48.034+1000 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.0
2021-08-30T14:23:48.163+1000 INFO cfgfile/reload.go:224 Loading of config files completed.
2021-08-30T14:23:48.163+1000 INFO [input.httpjson-cursor] compat/compat.go:111 Input httpjson-cursor starting {"id": "BC01B4DEC1514B32"}
2021-08-30T14:23:48.163+1000 INFO [input.httpjson-cursor] compat/compat.go:111 Input httpjson-cursor starting {"id": "303DFE9AECEEEF55"}
2021-08-30T14:23:48.164+1000 INFO [input.httpjson-cursor] v2/input.go:112 Process another repeated request. {"id": "303DFE9AECEEEF55", "input_source": "https://snyk.io/api/v1/reporting/issues/?page=1&perPage=10&sortBy=issueTitle&order=asc&groupBy=issue", "input_url": "https://snyk.io/api/v1/reporting/issues/?page=1&perPage=10&sortBy=issueTitle&order=asc&groupBy=issue"}
2021-08-30T14:23:48.164+1000 INFO [input.httpjson-cursor] v2/input.go:112 Process another repeated request. {"id": "BC01B4DEC1514B32", "input_source": "https://snyk.io/api/v1/org/yyyy/audit?page=1&sortOrder=ASC", "input_url": "https://snyk.io/api/v1/org/yyyy/audit?page=1&sortOrder=ASC"}
2021-08-30T14:23:49.656+1000 INFO [input.httpjson-cursor] v2/request.go:210 request finished: 0 events published {"id": "BC01B4DEC1514B32", "input_source": "https://snyk.io/api/v1/org/yyyy/audit?page=1&sortOrder=ASC", "input_url": "https://snyk.io/api/v1/org/yyyy/audit?page=1&sortOrder=ASC"}

...

6. If we head to Kibana and go into the "Discover" Page we will see data flowing into the cluster by setting "event.module = snyk" on the "filebeat-*" index pattern as shown below.

Or maybe we want to use Dev Tools itself



7. Finally a Dashboard of some graphs as we monitor the "Snyk Data" coming into the cluster 


Next Steps?

Kibana gives you the freedom to select the way you give shape to your data. With its interactive visualizations, start with one question and see where it leads you!!!. If it was me I would go straight to Kibana Lens. Kibana Lens is an easy-to-use, intuitive UI that simplifies the process of data visualization through a drag-and-drop experience it allowed me to create the dashboard page above in under 3 minutes even without knowing where to start.

https://www.elastic.co/kibana/kibana-lens

Want all your vulnerability data form the Snyk Platform within your Elastic Stack the "Elastic Snyk Module" will do that for you in a few easy steps.

More Information

Snyk

Elastic Snyk Module

Friday, 20 August 2021

Taking Snyk Code for Test Drive

Snyk Code is our newest addition to the Snyk platform. Snyk Code uses a revolutionary approach designed to be developer-first. Conventional Static Application Security Testing (SAST) tools are limited by lengthy scans times and poor accuracy, returning too many false positives, and eroding developer trust. Snyk Code makes developer efforts efficient and actionable.

In this short blog post let's take it for a test drive on a large Java Project.

Steps

1. You will need an account on Snyk App sign up for free at snyk.io

2. Once you have an account and are logged in go ahead and enable "Snyk Code" as follows


3. Clone the following GitHub repo as follows.

https://github.com/papicella/CWE-Juliet-TestSuite-Java

$ git clone https://github.com/papicella/CWE-Juliet-TestSuite-Java
Cloning into 'CWE-Juliet-TestSuite-Java'...
remote: Enumerating objects: 12964, done.
remote: Counting objects: 100% (12964/12964), done.
remote: Compressing objects: 100% (969/969), done.
remote: Total 12964 (delta 11931), reused 12964 (delta 11931), pack-reused 0
Receiving objects: 100% (12964/12964), 6.44 MiB | 6.04 MiB/s, done.
Resolving deltas: 100% (11931/11931), done.
Updating files: 100% (13095/13095), done.

4. Authenticate with "Snyk CLI" as shown below

Note: The following link will get the CLI installed for you

https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI

$ snyk auth

5. Let's check the number of lines of code we scanning as follows. Here we are making sure we only scan Java Source files as that's all that exists in this repo in any case. Snyk Code supports other programming languages as well like Python, JavaScript etc.

$ cd CWE-Juliet-TestSuite-Java
$ find ./Java/src -name "*.java" -type f -exec wc -l {} \; | awk '{total += $1} END{print total}'
2,479,301

So we have close 2.5 million lines of code here of course that counts lines of empty space such as carriage returns BUT still that's lots of code to scan.

6. Run your "Snyk Code" Test as follows to see two things , how long the scan took and the number of results returned. From this we can see the scan and results took less then 2 minutes!

$ time snyk code test ./Java/src

....

 ✗ [High] SQL Injection
     Path: testcases/CWE89_SQL_Injection/s02/CWE89_SQL_Injection__getCookies_Servlet_execute_41.java, line 42
     Info: Unsanitized input from cookies flows into execute, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

 ✗ [High] SQL Injection
     Path: testcases/CWE89_SQL_Injection/s02/CWE89_SQL_Injection__getCookies_Servlet_execute_14.java, line 62
     Info: Unsanitized input from cookies flows into execute, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

 ✗ [High] SQL Injection
     Path: testcases/CWE89_SQL_Injection/s02/CWE89_SQL_Injection__getCookies_Servlet_execute_10.java, line 62
     Info: Unsanitized input from cookies flows into execute, where it is used in an SQL query. This may result in an SQL Injection vulnerability.


✔ Test completed

Organization:      undefined
Test type:         Static code analysis
Project path:      ./Java/src

3086 Code issues found
1491 [High]  1595 [Medium]


real 1m4.269s
user 0m45.630s
sys 0m7.182s

The following post shows some comparison data against other SAST engines and code repositories.

https://snyk.io/blog/sast-tools-speed-comparison-snyk-code-sonarqube-lgtm/

More Information

Snyk Code

Snyk Code is now available for free

Friday, 23 July 2021

Snyk provides native integration for Atlassian Bitbucket Cloud security - Here is how!!!

The Snyk security integration is free and easy to set up with just a few clicks inside the Bitbucket Cloud product. For the first time, developers can consume information that was previously only available inside Snyk now within Bitbucket Cloud. Snyk enables developers to see new vulnerabilities as they emerge and implement fixes early and quickly in the process. 

In this post we show how easily you can integrate Snyk into Bitbucket Cloud

Steps

Note: For the following to work you have to integrate Bitbucket Cloud with the Snyk App as per this link 


1. Once logged into Bitbucket Cloud navigate to your "Workplace Settings" and authenticate with Snyk as shown below.





2. Next select the repository you wish to use as shown below.





3. You should see a "Snyk" tab on the left hand side click on this and then click on "Import this repository" as shown below.




4. In a couple of minutes or less you should see a "Snyk" overview report as per below. 




5. Click on "pom.xml" to get more information as shown below. Here we get a list of all Vulnerabilities as per a scan of the package manifest file "pom.xml" in this example.





6. On the top of this page you can directly go to the project page on "Snyk App" by clicking on "Visit Snyk" as shown below.




It's as simple as that!
 

More Information

Demo Video

Friday, 2 July 2021

Snyk Import Project API using Azure Repos

In this example below we show how you could import a Azure Repo directly from the Snyk API. The Snyk API is available to customers on paid plans and allows you to programatically integrate with Snyk.

API url

The base URL for all API endpoints is https://snyk.io/api/v1/

Authorization

To use this API, you must get your token from Snyk. It can be seen on https://snyk.io/account/ after you register with Snyk and login.

The token should be supplied in an Authorization header with the token, preceded by token:

Authorization: token API_KEY

Steps

Note: You would have configured an Azure Repos Integration as shown below prior to running these steps




1. Authenticate with the CLI using your Snyk Token as follows

$ snyk auth TOKEN

Your account has been authenticated. Snyk is now ready to be used.

2. Log into your Azure DevOps account and verify which Project Repo you wish to import as per the image below


3. With your project selected you will need the following details to perform the Snyk API import request

owner: Name of your project


name: Name of your Repository


branch: Branch name you wish to import



4. Finally we will need our Organisation ID and Azure Repos ID which we retrieve from the Snyk UI as follows

organization ID

Setting > General -> Organization ID

Azure Repos ID

Setting > Integrations -> Azure Repos -> Edit Settings -> Scroll to bottom of page



Take of note of both ID's we will need them in the steps below

5. Now we are ready to import our Azure Repo using a command as follows. We are using a "curl" command to issue a POST request and this command is for a Mac OSX or linux system so it would need tweaking if running on Windows for example

Command

curl --include \
     --request POST \
     --header "Content-Type: application/json; charset=utf-8" \
     --header "Authorization: token `snyk config get api`" \
     --data-binary "{
  \"target\": {
    \"owner\": \"spring-book-service\",
    \"name\": \"spring-book-service\",
    \"branch\": \"master\"
  }
}" \
'https://snyk.io/api/v1/org/$ORG_ID/integrations/$AZURE_REPO_ID/import'

6. Set the ENV variables for ORG_ID and AZURE_REPO_ID as follows

export ORG_ID=FROM_STEP-4
export AZURE_REPO_ID=FROM_STEP-4

7. Run command

$ curl --include \
>      --request POST \
>      --header "Content-Type: application/json; charset=utf-8" \
>      --header "Authorization: token `snyk config get api`" \
>      --data-binary "{
>   \"target\": {
>     \"owner\": \"spring-book-service\",
>     \"name\": \"spring-book-service\",
>     \"branch\": \"master\"
>   }
> }" \
> "https://snyk.io/api/v1/org/${ORG_ID}/integrations/${AZURE_REPO_ID}/import"
HTTP/2 201
content-security-policy: base-uri 'none'; script-src 'self' https: 'nonce-ENlk6rSQsdLgbcWNcCaA7A==' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' 'report-sample'; img-src https: data:; object-src 'none'; report-to csp-report-group; report-uri https://web-reports.snyk.io/csp?version=39e8721a74a6dffcb97fc790cfbf1fca91cefc03;
report-to: {"group":"csp-report-group","max_age":1800,"endpoints":[{"url":"https://web-reports.snyk.io/csp?version=39e8721a74a6dffcb97fc790cfbf1fca91cefc03"}],"include_subdomains":true}
x-snyk-version: undefined
snyk-request-id: 1669e85e-abe5-401b-80bb-dae41829d6e1
location: https://snyk.io/api/v1/org/.....
content-type: application/json; charset=utf-8
content-length: 2
etag: W/"2-vyGp6PvFo4RvsFtPoIWeCReyIC8"
date: Fri, 02 Jul 2021 01:39:45 GMT
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; preload

{}

Finally switch back to the Snyk UI and verify you have imported the Azure repo as shown below


More Information

Import Projects API


Monday, 14 June 2021

Basic Pipeline using Snyk Container, OCI Images, Azure DevOps all part of Cloud Native Application Security

Snyk Container will find vulnerabilities in containers and Kubernetes workloads throughout the SDLC by scanning any compliant OCI image which includes those created by Cloud Native Buildpacks or other build tools that create OCI images.

So what could an Azure DevOps Pipeline look like that incorporates the following using Snyk?

Running a Snyk Scan against the project repository

Here we run a "snyk test" from the root folder of the repository itself and that report is then



Building your Artifact

Here we use a Maven task which packages the application Artifact as a JAR file ready to run




Creating an OCI compliant container image from the Artifact itself

There are various ways to create a OCI compliant image but by the far the simplest is using Cloud Native Buildpacks and for this we use the pack CLI which in turns using the Java Buildpack from our JAR file directly avoid a compilation step from the source code given we already did that on the step above.



Running a Snyk Scan against the container image directly on the Container Registry

With our container image now in our Container Registry we can use "snyk container" to check for issues directly from the registry and also check for application security issues from the open source dependancies as well.





The finished Pipeline ...







azure-pipeline.yml Pipeline used in Azure DevOps

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- master

pool:
vmImage: ubuntu-latest

steps:

- task: Maven@3
inputs:
mavenPomFile: 'pom.xml'
mavenOptions: '-Xmx3072m'
javaHomeOption: 'JDKVersion'
jdkVersionOption: '1.11'
jdkArchitectureOption: 'x64'
publishJUnitResults: true
options: "-Dskiptests -Dsnyk.skip"
goals: 'package'
displayName: "Build artifact JAR"
- task: SnykSecurityScan@0
inputs:
serviceConnectionEndpoint: 'snyk-token'
testType: 'app'
monitorOnBuild: false
failOnIssues: false
displayName: "snyk test from source"
- task: Docker@2
inputs:
containerRegistry: 'docker-pasapples-connection'
command: 'login'
displayName: "Login to DockerHub"

- script: |
curl -sSL "https://github.com/buildpacks/pack/releases/download/v0.19.0/pack-v0.19.0-linux.tgz" | tar -C ./ --no-same-owner -xzv pack
./pack build pasapples/springbootemployee:cnb-paketo-base --builder paketobuildpacks/builder:base --publish --path ./target/springbootemployee-0.0.1-SNAPSHOT.jar
displayName: 'Build Container with Pack'

- task: SnykSecurityScan@0
inputs:
serviceConnectionEndpoint: 'snyk-token'
testType: 'container'
dockerImageName: 'pasapples/springbootemployee:cnb-paketo-base'
severityThreshold: 'low'
monitorOnBuild: false
failOnIssues: false
additionalArguments: "--app-vulns"
displayName: "snyk container scan from image"


More Information

So, for Container and Kubernetes security, designed to help developers find and fix vulnerabilities in cloud native applications, click the links below to learn more and get started today.

Snyk Container

Snyk Platform