snykExecute¶
Description¶
This step performs an open source vulnerability scan on a Node project or Node module inside an MTA project through snyk.io.
Prerequisites¶
- Snyk account - have an account on snyk.io
- Snyk token - have a Snyk user token
Parameters¶
| name | mandatory | default | possible values |
|---|---|---|---|
buildDescriptorFile |
no | ./package.json |
|
dockerEnvVars |
no | ||
dockerImage |
no | node:lts-bookworm |
|
dockerOptions |
no | ||
dockerWorkspace |
no | ||
exclude |
no | [] |
|
monitor |
no | true |
|
scanType |
no | npm |
npm, mta |
script |
yes | ||
snykCredentialsId |
yes | Jenkins credentials id | |
snykOrg |
no | ||
toHtml |
no | false |
|
toJson |
no | false |
buildDescriptorFile- The path to the build descriptor file, e.g../package.json.dockerEnvVars- Environment variables to set in the container, e.g. [http_proxy: 'proxy:8080'].dockerImage- Name of the docker image that should be used. Configure with empty value to execute the command directly on the Jenkins system (not using a container). Omit to use the default image (cf. default_pipeline_environment.yml) Overwrite to use custom Docker image.dockerOptions- Docker only: Docker options to be set when starting the container (List or String).dockerWorkspace- Kubernetes only: Specifies a dedicated user home directory for the container which will be passed as value for environment variableHOME.exclude- Only scanType 'mta': Exclude modules from MTA projects.monitor- Monitor the application's dependencies for new vulnerabilities.scanType- The type of project that should be scanned.script- The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with thethisparameter, as inscript: this. This allows the function to access thecommonPipelineEnvironmentfor retrieving, e.g. configuration parameters.snykCredentialsId- Credentials for accessing the Snyk API.snykOrg- Only needed formonitor: true: The organisation ID to determine the organisation to report to.toHtml- Generate and archive a HTML report.toJson- Generate and archive a JSON report.
Step configuration¶
We recommend to define values of step parameters via config.yml file.
In following sections of the config.yml the configuration is possible:
| parameter | general | step/stage |
|---|---|---|
buildDescriptorFile |
X | |
dockerEnvVars |
X | |
dockerImage |
X | |
dockerOptions |
X | |
dockerWorkspace |
X | |
exclude |
X | |
monitor |
X | |
scanType |
X | |
script |
||
snykCredentialsId |
X | X |
snykOrg |
X | |
toHtml |
X | |
toJson |
X |
Dependencies¶
The step depends on the following Jenkins plugins
- credentials-binding
- docker
- kubernetes
- pipeline-utility-steps
- workflow-basic-steps
- workflow-cps
- workflow-cps-global-lib
- workflow-durable-task-step
The kubernetes plugin is only used if running in a kubernetes environment. Transitive dependencies are omitted.
The list might be incomplete.
Consider using the ppiper/jenkins-master docker image. This images comes with preinstalled plugins.
Side effects¶
Step uses dockerExecute inside.
Exceptions¶
none
Example¶
snykExecute script: this, snykCredentialsId: 'mySnykToken'