Skip to content

PC-294: fix kondukto scan #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aliwoodman merged 15 commits into from
Dec 18, 2025
Merged

PC-294: fix kondukto scan #163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
d41ff23
use snyk in kondukto scan
aliwoodman Dec 12, 2025
8937501
use kondukto-scan reusable action
aliwoodman Dec 12, 2025
94e7eb5
snyk script
aliwoodman Dec 12, 2025
b81e44c
updated
aliwoodman Dec 12, 2025
d783558
install snyk
aliwoodman Dec 12, 2025
0cfd755
remove chmod
aliwoodman Dec 12, 2025
f1f6847
re-add chmod for snyk install
aliwoodman Dec 12, 2025
a336ed9
Make snyk-scans.sh executable
aliwoodman Dec 12, 2025
50187cd
install kdt cli before scan step
aliwoodman Dec 17, 2025
762864c
full script
aliwoodman Dec 17, 2025
1798ee7
Revert "full script"
aliwoodman Dec 17, 2025
d7b66be
Reapply "full script"
aliwoodman Dec 17, 2025
5f78649
shorten script
aliwoodman Dec 17, 2025
4f29fe2
full script test
aliwoodman Dec 17, 2025
8f3f526
Revert "full script test"
aliwoodman Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions .github/scripts/snyk-scans.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
#!/bin/bash
set -euo pipefail

TOKEN="$1"
PROJECT_NAME="$2"
BRANCH="$3"
VERBOSITY="$4"
SNYK_TOKEN="$5"

HOST="https://ourfuturehealth.kondukto.io"

# Function to print debug messages only when verbosity is enabled
debug() {
if [[ "$VERBOSITY" == "true" ]]; then
echo "[DEBUG] $1"
fi
}

# Function to log errors
log_error() {
echo "[ERROR] $1" >&2
exit 1
}

# Function to perform Snyk scans (SAST and SCA)
run_snyk_scans() {
local tool="$1"
local branch_name="$BRANCH"
local output_file="${tool}_results.json"

if [[ -z "${SNYK_TOKEN:-}" ]]; then
log_error "⚠️ Scan $tool skipped: No SNYK_TOKEN provided! Please set 'SNYK_TOKEN' in the GitHub Action inputs."
fi

export SNYK_TOKEN="$SNYK_TOKEN"
export SNYK_API="https://app.eu.snyk.io/api"

# Authenticate with Snyk
if ! $GITHUB_WORKSPACE/snyk auth "$SNYK_TOKEN"; then
log_error "⚠️ Scan ($tool) skipped: Snyk authentication failed! Ensure the SNYK_TOKEN is valid."
fi

debug "Running $tool scan on branch: $branch_name"

# Build the Snyk command based on the tool
local snyk_command
if [[ "$tool" == "snyksca" ]]; then
snyk_command="$GITHUB_WORKSPACE/snyk test \
--target-reference=\"$branch_name\" \
--all-projects \
--json-file-output=\"$output_file\""
elif [[ "$tool" == "snyksast" ]]; then
snyk_command="$GITHUB_WORKSPACE/snyk code test \
--target-reference=\"$branch_name\" \
--all-projects \
--json-file-output=\"$output_file\""
fi

debug "Executing Snyk command: $snyk_command"
eval "$snyk_command" 2>&1 | tee snyk_debug.log
snyk_exit_code=$?

if [[ "$snyk_exit_code" -eq 0 || "$snyk_exit_code" -eq 1 ]]; then
debug "Snyk scan ($tool) completed successfully with exit code $snyk_exit_code."
else
log_error "⚠️ Snyk scan ($tool) failed! Exit code: $snyk_exit_code"
fi

# Check if the output file was created
if [[ -f "$output_file" ]]; then
debug "Snyk scan results saved in: $output_file"
debug "Uploading scan results to Kondukto API..."
response=$(curl --location --request POST "$HOST/api/v2/scans/import" \
--header "X-Cookie: $TOKEN" \
--header "Content-Type: multipart/form-data" \
--form "project=$PROJECT_NAME" \
--form "branch=$BRANCH" \
--form "tool=$tool" \
--form "file=@$output_file" \
--silent --write-out "%{http_code}" --output kondukto_upload_response.json)

http_code="${response: -3}"

if [[ "$http_code" -ne 200 ]]; then
log_error "🚨 Failed to upload results to Kondukto! HTTP status: $http_code"
cat kondukto_upload_response.json # Show API response for debugging
fi

debug "✅ Successfully uploaded Snyk scan results to Kondukto."
else
debug "Snyk scan results file ($output_file) was not found!"
fi
}

# Main function to orchestrate Snyk scans
run_all_scans() {
debug "Starting Snyk scans..."
run_snyk_scans "snyksca"
run_snyk_scans "snyksast"
echo "✅ All Snyk scans completed."
}

# Initialize and run scans
debug "Running Snyk Scan Script"
run_all_scans
25 changes: 22 additions & 3 deletions .github/workflows/kondukto.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,35 @@ jobs:
- name: Checkout Code
uses: actions/checkout@v3

- name: Install Snyk CLI
run: |
curl -L -o $GITHUB_WORKSPACE/snyk https://github.com/snyk/cli/releases/latest/download/snyk-linux
chmod +x $GITHUB_WORKSPACE/snyk

- name: Install KDT CLI
run: |
curl -sSL https://cli.kondukto.io | sh

- name: Run Snyk Scans
env:
HOST: ${{ secrets.KONDUKTO_HOST }}
TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
PROJECT_NAME: ${{ secrets.PROJECT_NAME }}
VERBOSITY: true
run: |
./.github/scripts/snyk-scans.sh \
"$TOKEN" \
"$PROJECT_NAME" \
"main" \
"$VERBOSITY" \
"${{ secrets.SNYK_TOKEN }}"

- name: List available scanners
run: kdt list scanners --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }}

- name: Scan with Dependabot
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t dependabot -b $TARGET_BRANCH --async

- name: Scan with Semgrep
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t semgrep -b $TARGET_BRANCH --async

- name: Scan with OSV
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t osvscannersca -b $TARGET_BRANCH --async

Expand Down
Loading