Skip to content

PC-294: fix kondukto scan#163

Merged
aliwoodman merged 15 commits intomainfrom
PC-000-kondukto-scan
Dec 18, 2025
Merged

PC-294: fix kondukto scan#163
aliwoodman merged 15 commits intomainfrom
PC-000-kondukto-scan

Conversation

@aliwoodman
Copy link
Contributor

@aliwoodman aliwoodman commented Dec 12, 2025
edited
Loading

Ticket: https://ourfuturehealth.atlassian.net/browse/PC-294

This PR introduces Snyk scanning to the design-system-toolkit repository, replacing semgrep as recommended by @DionKontopodias

Other repos use the reusable action from the kondukto-scan repository for snyk scanning. But since the reusable action is in a private repository, we cannot directly use it in this repo which is public.

I don't have a very clear view on exactly what we are aiming for - this ticket was created because we saw the kondukto scan fail e.g here. In a thread and in some messages Dion seemed to suggest an approach like this which is what I've attempted to add

I've copied over the snyk-specific logic with a couple of changes:

  • Snyksast Results: The snyksast scan is not producing any results, which was causing an error because it does not create an output file (seen in logs on this run when running the snyk commands in debug mode - e.g. '[json-file-output] The input is empty, skipping rendering!'). Instead of failing when no file is created, I'm logging this, as the command has actually succeeded at this point. The scan appears to process 35 files, which is close to the number of .js files in the repository - the project primarily consists of .njk templates, which may explain the lack of results (but I'm not totally sure).
  • Unlike the original, this script fails if snyk auth fails - the original script would log but continue and the job would succeed without running scans even if scans were requested. (This may be a wider change worth making in the reusable action? Other pathways can fail too in this script and similarly not cause it to fail - will raise with Security to see if intended)

@netlify
Copy link

netlify bot commented Dec 12, 2025
edited
Loading

Deploy Preview for ofh-design-system-docs ready!

Name Link
🔨 Latest commit 8f3f526
🔍 Latest deploy log https://app.netlify.com/projects/ofh-design-system-docs/deploys/6942c6a97d722e0008d4f27f
😎 Deploy Preview https://deploy-preview-163--ofh-design-system-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@aliwoodman aliwoodman force-pushed the PC-000-kondukto-scan branch 2 times, most recently from febc546 to a336ed9 Compare December 17, 2025 10:55
@aliwoodman
Revert "full script"
1798ee7 
This reverts commit 762864c.
@aliwoodman aliwoodman merged commit 54c0d01 into main Dec 18, 2025
6 of 7 checks passed
@aliwoodman aliwoodman deleted the PC-000-kondukto-scan branch December 18, 2025 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mwiercinska mwiercinska mwiercinska approved these changes

+1 more reviewer

@jones-2077 jones-2077 jones-2077 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aliwoodman @mwiercinska @jones-2077