Snyk Artifactory Upload

Overview

This Azure DevOps task provides functionality to take Snyk vulnerability report details and upload them as properties onto Artifactory artifacts. It supports three main operations: copy, process, and copyandprocess. The task interacts with a Snyk vulnerability report file generated by a preceding task (Snyk Vulnerability Scan Task).

Features

• Copy Operation:

  • Uploads the Snyk vulnerability report file to a user-specified directory (snykFilePath input).

• Process Operation:

  • Retrieves the Snyk report from the specified directory (snykFilePath input).
  • Sets properties from the report file onto designated Artifactory artifacts.
  • Artifacts can be specified either by providing a list of artifact URLs or build details (build name, number, and project name).
    • When using the url list option you can call multiple URL's seperated by a delimter (which can be configured to be a custom in the task, by default it is <,>)
    • Url's can be specific artifacts or folders, the task will set properties as long as the path is valid.
    • Do not include initial slash in URL list, example of a valid list > "path/to/some/artifact, path/to/some/folder"

Usage

Parameters

• Operation:

  • Choose one of the following operations: copy, process, copyandprocess.

• Snyk File Path (snykFilePath):

  • The directory path where the Snyk vulnerability report file will be stored or retrieved.

• Artifact Specification:

  • Specify artifacts either by providing a list of URLs or build details.

Example

- task: snyk-artifactory-azure-upload@1
    inputs:
    Operation: 'CopyAndProcess'
    SnykDirectory: '$(Pipeline.Workspace)'
    artifactoryServiceConnection: 'someserviceconnection'
    InputType: 'Build'
    BuildName: 'somebuild'
    BuildNumber: 'somebuildNumber'
    ProjectName: 'someProjectName'

Snyk Scan Data Properties

Upon successfully retrieving scan data, the following properties are set on the artifact:

• Scan Status (snyk_sast_scan_status):

  • Indicates the status of the Snyk Static Application Security Testing (SAST) scan.

• Findings Present (snyk_sast_findings_present):

  • A boolean flag indicating whether Snyk findings are present.
  • true if findings are present, false otherwise.

• Highest Severity Level (snyk_sast_highest_severity_level):

  • The highest severity level of vulnerabilities found in the scan.
  • Possible values: "high", "medium", "low", etc.

• High Severity Count (snyk_sast_high_severity_count):

  • The count of vulnerabilities with high severity.

• Medium Severity Count (snyk_sast_medium_severity_count):

  • The count of vulnerabilities with medium severity.

• Low Severity Count (snyk_sast_low_severity_count):

  • The count of vulnerabilities with low severity.

• Project Link (snyk_sast_project_link):

  • A link to the Snyk project providing detailed information about the scan results.

Contributing to Azure DevOps Snyk Vulnerability Report Task

Thank you for considering contributing to this project! Please take a moment to review the following guidelines.

Open Source Contributions

We currently do not accept open source contributions, including pull requests. The development of this project is primarily maintained by the project owners.

Bug Reports and Feature Requests

For bug reports or feature requests, please follow these steps:

1. Check if the issue has already been reported in GitHub Issues.
2. If not, open a new issue.
3. Provide detailed information about the problem or the requested feature.

Pull Requests

As mentioned earlier, we do not accept open source contributions, including pull requests. However, we appreciate your interest in improving the project.

Thank you for your understanding and support!

License

By contributing, you agree that your contributions will be licensed under the Apache License 2.0.