what’s up guys, welcome to automationcalling.com!

Introduction

The purpose of this document is to set up SAST and SCA configurations by installing the extension in the Visual Studio code editor and CLI way of execution and going through the results of SAST and SCA.

Snyk Extension Installation in Local/Developer Machine for SAST and SCA Scan

  1. Open Visual Studio Code Editor
  2. Install Snyk extension
  3. Once the installation is completed, it prompts you to connect the workspace
  4. After that, connect with your credential or SSO  https://app.snyk.io/
  5. The workspace gets authenticated and Snyk started analyzing your project in the VS code, and the results are shown below
  6. Finally, the Code Security, Code Quality, Configuration, and Open Source Security results are shown below
    1. Open Source Security indicates →  SCA OSS
    2. Code Security and Code Quality → SAST

Snyk Cheat Sheets

The cheat sheets help to understand the easy way of installing and executing commands using Snyk CLI, refer Snyk Cheat Sheets

Snyk CLI Execution in Local/Remote Instance

Pre-requisites

  1. Install Snyk CLI
    1. For Windows: 
      • scoop bucket add snyk <github/bitbucket url>
      • scoop install snyk
    2. For MAC:
      • brew tap snyk
      • tapbrew install snyk
    3. For NPM:
      • npm install -g snyk
  2. Authenticate Snyk: snyk auth
    1. The token can be found in your login by clicking on user name → Account Settings → General → Click to show Token

Run SCA and Publish Vulnerabilities in Snyk Dashboard using CLI

  1. Command to run SCA and publish to the dashboard: snyk monitor
    • The monitor command actually runs SCA and creates a project on the Snyk SAAS to be continuously monitored for new vulnerabilities

CI/CD Setup for Jenkins Pipeline

Pre-Requisites

  1. Install NPM package
  2. npm install -g snyknpm
  3. install snyk-to-html -g
  4. Add your Service Account in Snyk Member 
  5. User→ Account Settings → Under API Seciton → Click To Show
  6. Configured API token under Jenkins Credentials

Note:

  1. snyk-to-html installation helps to convert form json to html file. For eg., 
  2. snyk code test –all-projects –json | snyk-to-html > filename.html

Jenkins CLI

To run SCA:

  1. snyk auth $token
  2. snyk test || true

To run SAST:

  1. snyk code test

Exporting the Test Results in JSON or SARIF Format

https://docs.snyk.io/scan-application-code/snyk-code/cli-for-snyk-code/working-with-the-snyk-code-cli-results/outputting-the-test-results-to-a-json-or-sarif-format-in-the-terminal

snyk code test --sarif-file-output=resultssast.sarif
snyk code test --json-file-output=devportal_frontend_sast.json 

Reference:

https://docs.snyk.io/integrations/ci-cd-integrations/jenkins-integration-overview

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s