securityazure-devopscontinuous-integrationazure-pipelinessnyk

How can I skip old vulnerabilities and break only with new ones using Snyk scan on Azure DevSecOps?


I am using Snyk scan on Azure DevSecOps.online scan works by I am trying to compares specific snapshot with the actual scan using:

 - task: SnykSecurityScan@1
  inputs:
    projectName: 'POcPipeline'
    serviceConnectionEndpoint: 'conectionSnykAzure'
    severityThreshold: 'low'
    testType: 'app'
    monitorWhen: 'always'
    failOnIssues: false
  displayName: 'Run Snyk Security Scan'

 - script: |
    npm install -g snyk snyk-delta
  displayName: 'Install Snyk and Snyk-Delta Tools'

 - script: |
    ls -la
  displayName: 'List Workspace Files'

 - script: |
    snyk test --json --print-deps | snyk-delta --baselineOrg 93d6123-a3rf-ub0f-yc93-216ecc08a338 --baselineProject 015b7a6-26rw-4e23-br47-74544067c54744d
  displayName: 'Snyk Vulnerability Delta Analysis'

I am trying to use Snyk delta to compare scans but I am getting like typo errors:

Generating script.
Script contents:
snyk test --json --print-deps | snyk-delta --baselineOrg 93d6123-a3rf-ub0f-yc93-216ecc08a338 --baselineProject 015b7a6-26rw-4e23-br47-74544067c54744d
========================== Starting Command Output ===========================
/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/0547b0-79a1-41d9-b8a1-b452342ee0.sh
Hint: use debug mode -d for more information
BadInputError: Expected 'snyk test --json' output to contain .vulnerabilities[] property but none was found. Ensure 'snyk test --json' completed successfully.
Please review the available documentation via -h or the README

##[error]Bash exited with code '2'.
Finishing: Snyk Vulnerability Delta Analysis

enter image description here


Solution

  • The Snyk CLI command "snyk test" requires its own authentication, apart from the plugin/scan task. The Snyk CLI command does not refer to the serviceConnection specified further above (conectionSnykAzure).

    Hence you need to run snyk auth <SNYK_API_KEY> beforehand; and make SNYK_API_KEY an env variable.

    Related Snyk docs: https://docs.snyk.io/snyk-cli/authenticate-to-use-the-cli