snyk

How do I configure my .snyk file to fail the build automatically if the setting to ignore a particular vulnerability has passed its expiry?


I have a .snyk policy file which is supposed to ignore vulnerabilities until a given date:

version: v1.25.0
ignore:
  <REDACTED>:
      - '*':
          reason: >-
            This vulnerability should have a fix soon:
            expires: 2023-11-01T00:00:00.000Z
            created: 2023-10-11T00:00:00.000Z
  <REDACTED>:
      - '*':
          reason: >-
            This vulnerability should have a fix soon:
            expires: 2023-11-13T00:00:00.000Z
            created: 2023-10-23T00:00:00.000Z
  <REDACTED>:
      - '*':
          reason: >-
            This vulnerability will be addressed as a part of <TICKET>:
            expires: 2023-12-23T00:00:00.000Z
            created: 2023-06-23T00:00:00.000Z
patch: {}

My expectation is that these vulnerabilities should now fail the build, but that hasn't been happening. The Snyk documentation is not very clear, anywhere, about what will actually happen when the expiry is passed.

Presumably there is something wrong with my config. How do I set Snyk up to automatically fail the build when the expiry is reached?

Snyk is set up as a task in our Azure pipeline like so:

  - task: SnykSecurityScan@0
    displayName: "Snyk Security App Scan"
    inputs:
      serviceConnectionEndpoint: 'Snyk'
      testType: 'app'
      monitorOnBuild: true
      failOnIssues: true
      severityThreshold: <SEVERITY>
      additionalArguments: '--all-projects'
    env:
      AZURE_ARTIFACTS_ENV_ACCESS_TOKEN: $(System.AccessToken)

Solution

  • Figured it out - indentation for expires and created was one level too far.