A Buildkite plugin that runs Snyk tests in your Buildkite pipelines. The plugin requires a few dependencies install on your agents in order to function:
Refer to the documentation for these tools to ensure they are installed on your agents before running the plugin. If you are using the Buildkite Elastic CI Stack for AWS, you will need to customise the bootstrap script used by the stack.
These are all the options available to configure this plugin's behaviour.
The type of scan that the plugin will perform. Currently supported options are oss, code, container. (default: oss)
The environment variable the plugin will reference to set SNYK_TOKEN. (default: SNYK_TOKEN)
Your Snyk Organization slug, sets SNYK_CFG_ORG.
The image and tag (example: alpine:latest) to pass to the container scan tool.
Annotate the build according to the scan results. If set to false, no annotation will be created even if vulnerabilities are detected. (default: false)
Optionally block the build on vulnerability detection.
Here are a few examples of using the plugin to scan within your Buildkite pipeline:
steps:
- label: "🔎 Scanning with Snyk"
command: "test.sh"
plugins:
- snyk#v0.1.0:
scan: 'oss'
annotate: truesteps:
- label: "🔎 Scanning code with Snyk"
command: "test.sh"
plugins:
- snyk#v0.1.0:
scan: 'code'
annotate: trueScanning a docker container image by image name and tag:
steps:
- label: "🔎 Scanning container image with Snyk"
command: "build.sh"
plugins:
- snyk#v0.1.0:
scan: 'container'
annotate: true
image: 'alpine:latest'Block a build when a vulnerability is detected:
steps:
- label: "🔎 Blocking snyk scan"
command: "test.sh"
plugins:
- snyk#v0.1.0:
scan: 'oss'
annotate: true
block: trueRun the tests using docker compose run --rm tests
You can use the bk cli to run the pipeline locally:
bk local runThe package is available as open source under the terms of the MIT License.