Skip to content

Commit 180a50e

Browse files
committed
Remove CVSS threshold checks
Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
1 parent ef37aa0 commit 180a50e

3 files changed

Lines changed: 2 additions & 56 deletions

File tree

.github/actions/security/snyk-container-scan/action.yml

Lines changed: 1 addition & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: "Snyk Container Scan"
2-
description: "Scan a single container image with Snyk, upload results to Code Scanning, and check CVSS threshold"
2+
description: "Scan a single container image with Snyk, upload results to Code Scanning"
33

44
inputs:
55
imageFile:
@@ -8,10 +8,6 @@ inputs:
88
image:
99
description: "Image name for SARIF naming and categorization"
1010
required: true
11-
cvssThreshold:
12-
description: "Fail if any CVE has CVSS score above this value"
13-
required: false
14-
default: "8.0"
1511
snykMonitor:
1612
description: "Whether to also run 'snyk container monitor'"
1713
required: false
@@ -104,26 +100,3 @@ runs:
104100
--project-name="$MONITOR_PROJECT" \
105101
--target-reference="$MONITOR_REVISION"
106102
fi
107-
108-
- name: Check CVSS threshold
109-
shell: bash
110-
env:
111-
IMAGE_NAME: ${{ inputs.image }}
112-
run: |
113-
THRESHOLD=${{ inputs.cvssThreshold }}
114-
JSON_FILE="snyk-container-${IMAGE_NAME}.json"
115-
if [ -f "$JSON_FILE" ]; then
116-
COUNT=$(jq --argjson t "$THRESHOLD" '
117-
if type == "array" then
118-
[.[].vulnerabilities[]? | select(.cvssScore > $t)] | length
119-
else
120-
[.vulnerabilities[]? | select(.cvssScore > $t)] | length
121-
end' "$JSON_FILE")
122-
if [ "$COUNT" -gt 0 ]; then
123-
echo "::error::Image $IMAGE_NAME has $COUNT vulnerabilities with CVSS score > $THRESHOLD"
124-
exit 1
125-
fi
126-
echo "No vulnerabilities found with CVSS score > $THRESHOLD"
127-
else
128-
echo "No Snyk results file found, skipping CVSS threshold check"
129-
fi

.github/actions/security/snyk-maven-scan/action.yml

Lines changed: 1 addition & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,7 @@
11
name: "Snyk Maven Scan"
2-
description: "Run Snyk scan on Maven dependencies with SARIF upload and CVSS threshold check"
2+
description: "Run Snyk scan on Maven dependencies with SARIF upload"
33

44
inputs:
5-
cvssThreshold:
6-
description: "Fail if any CVE has CVSS score above this value"
7-
required: false
8-
default: "8.0"
95
snykMonitor:
106
description: "Whether to also run 'snyk monitor'"
117
required: false
@@ -71,23 +67,3 @@ runs:
7167
run: |
7268
REPO_NAME="${GITHUB_REPOSITORY##*/}"
7369
snyk monitor --project-name="${PROJECT_PREFIX}/${REPO_NAME}"
74-
75-
- name: Check CVSS threshold
76-
shell: bash
77-
run: |
78-
THRESHOLD=${{ inputs.cvssThreshold }}
79-
if [ -f snyk-results.json ]; then
80-
COUNT=$(jq --argjson t "$THRESHOLD" '
81-
if type == "array" then
82-
[.[].vulnerabilities[]? | select(.cvssScore > $t)] | length
83-
else
84-
[.vulnerabilities[]? | select(.cvssScore > $t)] | length
85-
end' snyk-results.json)
86-
if [ "$COUNT" -gt 0 ]; then
87-
echo "::error::Found $COUNT vulnerabilities with CVSS score > $THRESHOLD"
88-
exit 1
89-
fi
90-
echo "No vulnerabilities found with CVSS score > $THRESHOLD"
91-
else
92-
echo "No Snyk results file found, skipping CVSS threshold check"
93-
fi

.github/workflows/test-snyk.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,6 @@ jobs:
5858
- name: Run Snyk Maven scan
5959
uses: ./.github/actions/security/snyk-maven-scan
6060
with:
61-
cvssThreshold: "99.0"
6261
# Keep false to avoid uploading testing results to Snyk App
6362
snykMonitor: "false"
6463
# Keep false to avoid uploading results to GitHub Code Scanning page
@@ -205,7 +204,6 @@ jobs:
205204
with:
206205
imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz
207206
image: ${{ matrix.image }}
208-
cvssThreshold: "99.0"
209207
snykMonitor: "false"
210208
uploadToCodeScanning: "false"
211209
projectPrefix: test-operators
@@ -255,7 +253,6 @@ jobs:
255253
with:
256254
imageFile: drain-cleaner-container-amd64.tar.gz
257255
image: drain-cleaner-amd64
258-
cvssThreshold: "99.0"
259256
# Keep false to avoid uploading testing results to Snyk App
260257
snykMonitor: "false"
261258
# Keep false to avoid uploading results to GitHub Code Scanning page

0 commit comments

Comments
 (0)