Turn snyk code on

.github/workflows/docker.yml

@@ -156,7 +156,7 @@ jobs:
           --org ${{ inputs.kosli_org }}
 
 
-    - name: Run Snyk to scan the Docker image for vulnerabilities
+    - name: Run Snyk Container Test to scan the Docker image for vulnerabilities
       env:
         SNYK_TOKEN: ${{ secrets.snyk_token }}
       run: 
@@ -176,7 +176,7 @@ jobs:
             --flow ${{ inputs.flow_name }}
             --trail ${{ inputs.trail_name }} 
             --fingerprint ${{ env.FINGERPRINT }} 
-            --name snyk-container
+            --name snyk-container-test
             --scan-results snyk-docker.json
             --org ${{ inputs.kosli_org }}
 

.github/workflows/test.yml

@@ -182,10 +182,9 @@ jobs:
         SLACK_USERNAME: GithubActions
         SLACK_WEBHOOK: ${{ secrets.slack_webhook }}
 
-  snyk-code:
-    if: false # Disable snyk code scans because we reached the monthly limit
-    #if: ${{ inputs.run_snyk }}  # Uncomment this when we re-enable snyk code scans
-    name: Snyk Code
+  snyk-code-test:
+    if: ${{ inputs.run_snyk }}
+    name: Snyk Code Test
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -207,14 +206,14 @@ jobs:
       env:
         SNYK_TOKEN: ${{ secrets.snyk_token }}
       run: 
-          snyk test --sarif --policy-path=.snyk  --sarif-file-output=snyk-code.json --prune-repeated-subdependencies
+          snyk code test --sarif --policy-path=.snyk  --sarif-file-output=snyk-code.json --prune-repeated-subdependencies
 
     - name: Report Snyk Code to Kosli
       if:  ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) &&  (success() || failure()) && inputs.report_results }}
       env:
         KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
       run: kosli attest snyk 
-           --name snyk-code 
+           --name snyk-code-test 
            --flow ${{ inputs.FLOW_NAME }}  
            --trail ${{ inputs.TRAIL_NAME }} 
            --scan-results  snyk-code.json
@@ -229,3 +228,50 @@ jobs:
         SLACK_TITLE: Snyk Code Failed in CLI repository
         SLACK_USERNAME: GithubActions
         SLACK_WEBHOOK: ${{ secrets.slack_webhook }}
+
+  snyk-dependency-test:
+    if: ${{ inputs.run_snyk }}
+    name: Snyk Dependency Test
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+
+    - uses: actions/checkout@v4
+
+    - name: setup Snyk
+      uses: snyk/actions/setup@master
+
+    - name: setup-kosli-cli
+      uses: kosli-dev/setup-cli-action@v2
+      with:
+        version:
+          ${{ vars.KOSLI_CLI_VERSION }}
+
+    - name: Run Snyk to check dependencies for vulnerabilities
+      env:
+        SNYK_TOKEN: ${{ secrets.snyk_token }}
+      run: 
+          snyk test --sarif --policy-path=.snyk  --sarif-file-output=snyk-code.json --prune-repeated-subdependencies
+
+    - name: Report Snyk Test to Kosli
+      if:  ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) &&  (success() || failure()) && inputs.report_results }}
+      env:
+        KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
+      run: kosli attest snyk 
+           --name snyk-dependency-test 
+           --flow ${{ inputs.FLOW_NAME }}  
+           --trail ${{ inputs.TRAIL_NAME }} 
+           --scan-results  snyk-dependency-test.json
+           --org ${{ inputs.KOSLI_ORG }}
+
+    - name: Slack Notification on Failure
+      if: ${{ failure() }}
+      uses: rtCamp/action-slack-notify@v2
+      env:
+        SLACK_CHANNEL: ${{ secrets.slack_channel }}
+        SLACK_COLOR: ${{ job.status }}
+        SLACK_TITLE: Snyk Test Failed in CLI repository
+        SLACK_USERNAME: GithubActions
+        SLACK_WEBHOOK: ${{ secrets.slack_webhook }}

.snyk

@@ -2,10 +2,19 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-
-  SNYK-GOLANG-K8SIOCLIENTGOTRANSPORT-7538822:
+  snyk:lic:golang:github.com:hashicorp:go-retryablehttp:MPL-2.0:
     - '*':
-        reason: This is indirect dependency of k8s.io/client-go and does not really impact the CLI. Waiting for next k8s releases to fix it.
-        expires: 2024-09-19T10:26:12.080Z
-        created: 2024-07-19T10:26:12.086Z
+        reason: "Choosing to ignore this licence issue for now"
+        expires: "2025-07-01T00:00:00Z"
+
+  snyk:lic:golang:github.com:hashicorp:go-cleanhttp:MPL-2.0:
+    - '*':
+        reason: "Choosing to ignore this licence issue for now"
+        expires: "2025-07-01T00:00:00Z"
+
 patch: {}
+
+exclude:
+  global:
+    - internal/azure/azure_apps.go
+    - cmd/kosli/root.go

bin/reset-or-start-server.sh

@@ -37,5 +37,5 @@ else
 fi
 
 echo creating test users on server ...
-docker exec $container_name /demo/create_cli_test_users.py
+docker exec $container_name /demo/create_standalone_test_users.py
 check_success

main-flow-template.yml

@@ -7,14 +7,16 @@ trail:
     type: generic
   - name: test
     type: junit
-  - name: snyk-code
+  - name: snyk-code-test
+    type: snyk
+  - name: snyk-dependency-test
     type: snyk
   - name: never-alone-data
     type: generic
   artifacts:
   - name: cli-docker
     attestations:
-    - name: snyk-container
+    - name: snyk-container-test
       type: snyk
     - name: smoke-test
       type: generic