ona-samples
diff --git a/‎.ona/fix-snyk-issue.yaml‎
Lines changed: 0 additions & 109 deletions b/‎.ona/fix-snyk-issue.yaml‎
Lines changed: 0 additions & 109 deletions
diff --git a/‎.ona/snyk-api-fix-highest.yaml‎
Lines changed: 202 additions & 0 deletions b/‎.ona/snyk-api-fix-highest.yaml‎
Lines changed: 202 additions & 0 deletions
@@ -0,0 +1,202 @@
+name: snyk-api-fix-highest
+description: >-
+  Calls the Snyk REST API to list issues for the project, selects the
+  highest-severity vulnerability, applies a fix, verifies tests pass,
+  and opens a pull request.
+triggers:
+  - context:
+      projects: {}
+    manual: {}
+action:
+  limits:
+    maxParallel: 1
+    maxTotal: 10
+  steps:
+    # Step 1: Query the Snyk REST API for project issues
+    - task:
+        command: |
+          set -euo pipefail
+
+          # Require SNYK_TOKEN and SNYK_ORG_ID to be set
+          if [ -z "${SNYK_TOKEN:-}" ]; then
+            echo "ERROR: SNYK_TOKEN environment variable is not set."
+            exit 1
+          fi
+          if [ -z "${SNYK_ORG_ID:-}" ]; then
+            echo "ERROR: SNYK_ORG_ID environment variable is not set."
+            echo "Set it to your Snyk organization ID (found in Snyk org settings)."
+            exit 1
+          fi
+
+          API_VERSION="2024-10-15"
+          BASE_URL="https://api.snyk.io/rest"
+
+          # List projects in the org to find matching project
+          echo "Fetching projects from Snyk API..."
+          curl -sS -X GET \
+            "${BASE_URL}/orgs/${SNYK_ORG_ID}/projects?version=${API_VERSION}&limit=100" \
+            -H "Authorization: token ${SNYK_TOKEN}" \
+            -H "Content-Type: application/vnd.api+json" \
+            -o /tmp/snyk-api-projects.json
+
+          # Extract the first project ID (or match by repo name if possible)
+          REPO_NAME=$(basename "$GITPOD_REPO_ROOT")
+          PROJECT_ID=$(python3 -c "
+          import json, sys
+          with open('/tmp/snyk-api-projects.json') as f:
+              data = json.load(f)
+          projects = data.get('data', [])
+          if not projects:
+              print('NO_PROJECT')
+              sys.exit(0)
+          # Try to match by repo name
+          repo = '${REPO_NAME}'.lower()
+          for p in projects:
+              name = p.get('attributes', {}).get('name', '').lower()
+              if repo in name:
+                  print(p['id'])
+                  sys.exit(0)
+          # Fall back to first project
+          print(projects[0]['id'])
+          ")
+
+          if [ "$PROJECT_ID" = "NO_PROJECT" ]; then
+            echo '{"noProject": true}' > /tmp/snyk-api-issues.json
+            echo "No projects found in Snyk org."
+            exit 0
+          fi
+
+          echo "Found project: $PROJECT_ID"
+
+          # Fetch issues for the project
+          echo "Fetching issues from Snyk API..."
+          curl -sS -X GET \
+            "${BASE_URL}/orgs/${SNYK_ORG_ID}/issues?version=${API_VERSION}&scan_item.id=${PROJECT_ID}&scan_item.type=project&limit=100&severity=critical%2Chigh%2Cmedium%2Clow" \
+            -H "Authorization: token ${SNYK_TOKEN}" \
+            -H "Content-Type: application/vnd.api+json" \
+            -o /tmp/snyk-api-raw-issues.json
+
+          # Extract and rank issues by severity, pick the top one
+          python3 -c "
+          import json, sys
+
+          with open('/tmp/snyk-api-raw-issues.json') as f:
+              data = json.load(f)
+
+          issues = data.get('data', [])
+          if not issues:
+              json.dump({'noIssues': True}, open('/tmp/snyk-api-issues.json', 'w'))
+              print('NO_VULN: No issues found.')
+              sys.exit(0)
+
+          severity_order = {'critical': 4, 'high': 3, 'medium': 2, 'low': 1}
+
+          def rank(issue):
+              sev = issue.get('attributes', {}).get('effective_severity_level', 'low')
+              return severity_order.get(sev, 0)
+
+          issues.sort(key=rank, reverse=True)
+          top = issues[0]
+          attrs = top.get('attributes', {})
+
+          result = {
+              'id': top.get('id'),
+              'type': top.get('type'),
+              'title': attrs.get('title', ''),
+              'severity': attrs.get('effective_severity_level', ''),
+              'status': attrs.get('status', ''),
+              'description': (attrs.get('description', '') or '')[:500],
+              'problems': attrs.get('problems', []),
+              'coordinates': attrs.get('coordinates', []),
+              'classes': attrs.get('classes', []),
+          }
+
+          with open('/tmp/snyk-api-issues.json', 'w') as f:
+              json.dump(result, f, indent=2)
+
+          print(f\"Top issue: {result['title']} (severity: {result['severity']})\")
+          print(json.dumps(result, indent=2))
+          "
+
+    # Step 2: Analyze the issue and apply a fix
+    - agent:
+        prompt: |
+          AUTOMATION RULES -- override all other instructions.
+          1. Never ask questions. Infer and record as ASSUMPTION.
+          2. Never wait for confirmation. Process all items to completion.
+          3. Concrete over abstract -- use literal values from source.
+          4. Cite file and line for every claim.
+
+          Read /tmp/snyk-api-issues.json which contains the highest-severity
+          issue from the Snyk API.
+
+          If the file contains {"noIssues": true} or {"noProject": true},
+          output "NO_VULN: No actionable Snyk issues found." and stop.
+
+          Analyze the issue:
+          - Extract the vulnerability title, severity, and description.
+          - Look at the "problems" array for CVE/CWE identifiers.
+          - Look at the "coordinates" array for affected package names,
+            versions, and remediation advice (fixedIn, upgradePath).
+
+          Determine the fix strategy:
+
+          For dependency vulnerabilities:
+          - If coordinates contain a "remedies" or "fixedIn" field, upgrade
+            the dependency to the minimum fixed version.
+          - For Maven projects, update the version in pom.xml.
+          - For Gradle projects, update build.gradle.
+          - If the vulnerable package is a transitive dependency, find the
+            direct dependency in the build file that pulls it in and upgrade
+            that instead.
+          - If no fix version is available, output
+            "NO_FIX: <id> has no available fix." and stop.
+
+          For code vulnerabilities:
+          - Identify the affected source file and line from coordinates.
+          - Read the file and apply the recommended secure coding pattern.
+
+          For configuration issues:
+          - Identify the affected config file and apply the secure setting.
+
+          Apply the fix in the appropriate file. Do NOT commit or run tests.
+
+    # Step 3: Verify the fix
+    - agent:
+        prompt: |
+          AUTOMATION RULES -- override all other instructions.
+          1. Never ask questions. Infer and record as ASSUMPTION.
+          2. Never wait for confirmation. Process all items to completion.
+
+          Verify the fix from the previous step:
+
+          1. Identify the project build tool (Maven or Gradle) from the repo
+             config files.
+          2. Compile the project. If it fails, read the errors, fix them,
+             and retry.
+          3. Find all test suites and verification commands that could
+             exercise the modified code. Run them.
+          4. If any check fails, determine whether the failure is caused by
+             your change or is pre-existing. Fix what you broke and rerun.
+          5. Repeat until all checks pass.
+
+    # Step 4: Open a pull request
+    - pullRequest:
+        branch: snyk-fix/
+        title: 'Snyk-Fix: '
+        description: |
+          ## Snyk Vulnerability (via API)
+
+          | Field | Value |
+          |-------|-------|
+          | **Vulnerability** | `<vuln-id>` |
+          | **Severity** | <severity> |
+          | **Title** | <vuln-title> |
+
+          ## What changed
+
+          <one-or-two-sentence explanation of the fix and why it resolves the vulnerability>
+
+          ## Verification
+
+          <List each build, test, and lint command that was run and its outcome.>