snykExecute¶
Description¶
This step performs an open source vulnerability scan on a Node project or Node module inside an MTA project through snyk.io.
Prerequisites¶
- Snyk account - have an account on snyk.io
- Snyk token - have a Snyk user token
Parameters¶
name | mandatory | default | possible values |
---|---|---|---|
buildDescriptorFile |
no | ./package.json |
|
dockerEnvVars |
no | ||
dockerImage |
no | node:lts-buster |
|
dockerOptions |
no | ||
dockerWorkspace |
no | ||
exclude |
no | [] |
|
monitor |
no | true |
|
scanType |
no | npm |
npm , mta |
script |
yes | ||
snykCredentialsId |
yes | Jenkins credentials id | |
snykOrg |
no | ||
toHtml |
no | false |
|
toJson |
no | false |
buildDescriptorFile
- The path to the build descriptor file, e.g../package.json
.dockerEnvVars
- Environment variables to set in the container, e.g. [http_proxy: 'proxy:8080'].dockerImage
- Name of the docker image that should be used. Configure with empty value to execute the command directly on the Jenkins system (not using a container). Omit to use the default image (cf. default_pipeline_environment.yml) Overwrite to use custom Docker image.dockerOptions
- Docker only: Docker options to be set when starting the container (List or String).dockerWorkspace
- Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variableHOME
.exclude
- Only scanType 'mta': Exclude modules from MTA projects.monitor
- Monitor the application's dependencies for new vulnerabilities.scanType
- The type of project that should be scanned.script
- The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with thethis
parameter, as inscript: this
. This allows the function to access thecommonPipelineEnvironment
for retrieving, e.g. configuration parameters.snykCredentialsId
- Credentials for accessing the Snyk API.snykOrg
- Only needed formonitor: true
: The organisation ID to determine the organisation to report to.toHtml
- Generate and archive a HTML report.toJson
- Generate and archive a JSON report.
Step configuration¶
We recommend to define values of step parameters via config.yml file.
In following sections of the config.yml the configuration is possible:
parameter | general | step/stage |
---|---|---|
buildDescriptorFile |
X | |
dockerEnvVars |
X | |
dockerImage |
X | |
dockerOptions |
X | |
dockerWorkspace |
X | |
exclude |
X | |
monitor |
X | |
scanType |
X | |
script |
||
snykCredentialsId |
X | X |
snykOrg |
X | |
toHtml |
X | |
toJson |
X |
Dependencies¶
The step depends on the following Jenkins plugins
- credentials-binding
- docker
- kubernetes
- pipeline-utility-steps
- workflow-basic-steps
- workflow-cps
- workflow-cps-global-lib
- workflow-durable-task-step
The kubernetes plugin is only used if running in a kubernetes environment. Transitive dependencies are omitted.
The list might be incomplete.
Consider using the ppiper/jenkins-master docker image. This images comes with preinstalled plugins.
Side effects¶
Step uses dockerExecute
inside.
Exceptions¶
none
Example¶
snykExecute script: this, snykCredentialsId: 'mySnykToken'