I have a .snyk
policy file which is supposed to ignore vulnerabilities until a given date:
version: v1.25.0
ignore:
<REDACTED>:
- '*':
reason: >-
This vulnerability should have a fix soon:
expires: 2023-11-01T00:00:00.000Z
created: 2023-10-11T00:00:00.000Z
<REDACTED>:
- '*':
reason: >-
This vulnerability should have a fix soon:
expires: 2023-11-13T00:00:00.000Z
created: 2023-10-23T00:00:00.000Z
<REDACTED>:
- '*':
reason: >-
This vulnerability will be addressed as a part of <TICKET>:
expires: 2023-12-23T00:00:00.000Z
created: 2023-06-23T00:00:00.000Z
patch: {}
My expectation is that these vulnerabilities should now fail the build, but that hasn't been happening. The Snyk documentation is not very clear, anywhere, about what will actually happen when the expiry is passed.
Presumably there is something wrong with my config. How do I set Snyk up to automatically fail the build when the expiry is reached?
Snyk is set up as a task in our Azure pipeline like so:
- task: SnykSecurityScan@0
displayName: "Snyk Security App Scan"
inputs:
serviceConnectionEndpoint: 'Snyk'
testType: 'app'
monitorOnBuild: true
failOnIssues: true
severityThreshold: <SEVERITY>
additionalArguments: '--all-projects'
env:
AZURE_ARTIFACTS_ENV_ACCESS_TOKEN: $(System.AccessToken)
Figured it out - indentation for expires
and created
was one level too far.