Attesting Snyk Scans #
Snyk scans analyze your source code, docker images and IaC source for security issues and vulnerabilities. Reporting these results to Kosli is beneficial for:
- Tracking whether the snyk scan happened on a given artifact or trail or not.
- Keeping a record of the findings.
In this tutorial, we will see how you can run and attest different types of Snyk scans to Kosli. We will run the scans on the Kosli CLI git repo.
While snyk attestations can be bound to a trail or an artifact in a trail, this tutorial demonstrates it only on trails for simplicity.
Getting ready #
To follow the steps in this tutorial, you need to:
- Setup Snyk on your machine.
- Install Helm if you want to try Snyk IaC attestations, otherwise skip.
- Install Docker if you want to try Snyk container attestations, otherwise skip.
- Create a Kosli account (Skip if you already have one).
- Install Kosli CLI.
- Get a Kosli API token.
- Set the
KOSLI_ORGenvironment variable to your personal org name andKOSLI_API_TOKENto your token:$ export KOSLI_ORG=<your-personal-kosli-org-name> $ export KOSLI_API_TOKEN=<your-api-token> - Clone the Kosli CLI git repo
$ git clone https://github.com/kosli-dev/cli.git $ cd cli
Creating a Flow and Trail #
We will start by creating a flow in Kosli to contain Trails and Artifacts for this demo.
$ kosli create flow snyk-demo --use-empty-template
--use-empty-template indicates that this flow does not have a predefined set of required attestations.
Then, we can start a trail to bind our snyk attestations to.
$ kosli begin trail test-1 --flow snyk-demo
Now we can start running Snyk scans and attest them to this trail.
After each attestation in the sections below, you can navigate to: https://app.kosli.com/<your-personal-org-name>/flows/snyk-demo/trails/test-1 to view the status of the trail in Kosli.
Snyk Open source scan #
Snyk Open Source allows you to find and fix vulnerabilities in the open-source libraries used by your applications.
You can run a snyk opens source scan and report it to Kosli as follows:
$ snyk test --sarif-file-output=os.json
$ kosli attest snyk --flow snyk-demo --trail test-1 --name open-source-scan --scan-results os.json --commit HEAD
--commit allows you to relate the attestation to a specific git commit.
Snyk Code scan #
Snyk Code lets you scan your source code for security issues.
You can run a snyk code scan and report it to Kosli as follows:
$ snyk code test --sarif-file-output=code.json
$ kosli attest snyk --flow snyk-demo --trail test-1 --name code-scan --scan-results code.json --commit HEAD
Snyk Container scan #
Snyk Container lets you scan your container images for security issues.
You can run a snyk container scan and report it to Kosli as follows:
# pull the cli docker image before scanning it
$ docker pull ghcr.io/kosli-dev/cli:v2.8.3
$ snyk container test ghcr.io/kosli-dev/cli:v2.8.3 --file=Dockerfile --sarif-file-output=container.json
$ kosli attest snyk --flow snyk-demo --trail test-1 --name container-scan --scan-results container.json --commit HEAD
Snyk IaC scan #
Snyk IaC lets you scan various types of IaC configuration files (e.g. Terraform, Kubernetes, Helm) for security issues.
We can run a snyk IaC scan on the K8S reporter Helm chart and report it to Kosli as follows:
$ helm template ./charts/k8s-reporter --output-dir helm \
--set kosliApiToken.secretName=secret \
--set reporterConfig.kosliEnvironmentName=foo \
--set reporterConfig.kosliOrg=bar
$ snyk iac test helm --sarif-file-output=helm.json
$ kosli attest snyk --flow snyk-demo --trail test-1 --name helm-scan --scan-results helm.json --commit HEAD
You can refer to the Snyk docs for more information on supported IaC configuration formats and how you can run snyk scans on them.
For more details about the kosli attest snyk command, please refer to its CLI reference.
