Snyk Tekton Tasks

A set of Tekton Tasks for using Snyk to check for vulnerabilities in your projects. A different task is required depending on which language or build tool you are using. We currently support:

• DotNet
• Golang
• Gradle
• Maven
• Node
• PHP
• Python
• Ruby
• Scala
• Swift
• Contaners
• Infrastructure as Code

Here's an example of using one of the Tasks, in this case to test a Go project:

An example pipeline definition using several of these tasks together:

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: snyk-golang-pipeline
spec:
  params:
  - name: git-url
  - name: git-revision
    default: master
  workspaces:
  - name: shared-workspace
  tasks:
  - name: fetch-repository
    taskRef:
      name: git-clone
    workspaces:
    - name: output
      workspace: shared-workspace
    params:
    - name: url
      value: $(params.git-url)
    - name: revision
      value: $(params.git-revision)
  - name: check-for-vulnerabilities
    taskRef:
      name: snyk-golang
    runAfter:
    - fetch-repository
    workspaces:
    - name: source
      workspace: shared-workspace
  - name: check-for-container-vulnerabilities
    taskRef:
      name: snyk-container
    params:
    - name: image
      value: ubuntu:18.04
    - name: args
      value:
      - --severity-threshold=high
    runAfter:
    - fetch-repository
    workspaces:
    - name: source
      workspace: shared-workspace

  - name: check-for-misconfigurations
    taskRef:
      name: snyk-iac
    params:
    - name: file
      value: deployment.yaml
    runAfter:
    - fetch-repository
    workspaces:
    - name: source
      workspace: shared-workspace

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: snykly-source-pvc
spec:
  resources:
    requests:
      storage: 200M
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: snykly
spec:
  params:
  - name: git-url
    value: https://github.com/garethr/snykly
  pipelineRef:
    name: snyk-golang-pipeline
  workspaces:
  - name: shared-workspace
    persistentvolumeclaim:
      claimName: snykly-source-pvc

See the individual Actions linked above for per-language instructions.