Attesting Snyk Scans #

Snyk scans analyze your source code, docker images and IaC source for security issues and vulnerabilities. Reporting these results to Kosli is beneficial for:

  • Tracking whether the snyk scan happened on a given artifact or trail or not.
  • Keeping a record of the findings.

In this tutorial, we will see how you can run and attest different types of Snyk scans to Kosli. We will run the scans on the Kosli CLI git repo.

While snyk attestations can be bound to a trail or an artifact in a trail, this tutorial demonstrates it only on trails for simplicity.

Getting ready #

To follow the steps in this tutorial, you need to:

Creating a Flow and Trail #

We will start by creating a flow in Kosli to contain Trails and Artifacts for this demo.

kosli create flow snyk-demo --use-empty-template
--use-empty-template indicates that this flow does not have a predefined set of required attestations.

Then, we can start a trail to bind our snyk attestations to.

kosli begin trail test-1 --flow snyk-demo

Now we can start running Snyk scans and attest them to this trail.

After each attestation in the sections below, you can navigate to: https://app.kosli.com/<your-personal-org-name>/flows/snyk-demo/trails/test-1 to view the status of the trail in Kosli.

Snyk Open source scan #

Snyk Open Source allows you to find and fix vulnerabilities in the open-source libraries used by your applications.

You can run a snyk opens source scan and report it to Kosli as follows:

snyk test --sarif-file-output=os.json

kosli attest snyk --flow snyk-demo --trail test-1 --name open-source-scan --scan-results os.json --commit HEAD
--commit allows you to relate the attestation to a specific git commit.

Snyk Code scan #

Snyk Code lets you scan your source code for security issues.

You can run a snyk code scan and report it to Kosli as follows:

snyk code test --sarif-file-output=code.json

kosli attest snyk --flow snyk-demo --trail test-1 --name code-scan --scan-results code.json --commit HEAD

Snyk Container scan #

Snyk Container lets you scan your container images for security issues.

You can run a snyk container scan and report it to Kosli as follows:

# pull the cli docker image before scanning it
docker pull ghcr.io/kosli-dev/cli:v2.8.3
snyk container test ghcr.io/kosli-dev/cli:v2.8.3  --file=Dockerfile --sarif-file-output=container.json

kosli attest snyk --flow snyk-demo --trail test-1 --name container-scan --scan-results container.json --commit HEAD

Snyk IaC scan #

Snyk IaC lets you scan various types of IaC configuration files (e.g. Terraform, Kubernetes, Helm) for security issues.

We can run a snyk IaC scan on the K8S reporter Helm chart and report it to Kosli as follows:

helm template ./charts/k8s-reporter --output-dir helm \
  --set kosliApiToken.secretName=secret \
  --set reporterConfig.kosliEnvironmentName=foo \
  --set reporterConfig.kosliOrg=bar

snyk iac test helm  --sarif-file-output=helm.json

kosli attest snyk --flow snyk-demo --trail test-1 --name helm-scan --scan-results helm.json --commit HEAD

You can refer to the Snyk docs for more information on supported IaC configuration formats and how you can run snyk scans on them.

For more details about the kosli attest snyk command, please refer to its CLI reference.