Skip to content

Commit 3e102ae

Browse files
authored
Add exclude options to maven scan (#46)
* Add exclude options to maven scan Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> * Rename tool in github security page for maven scans Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> * Fix lint Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> --------- Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>
1 parent cbaf56f commit 3e102ae

3 files changed

Lines changed: 30 additions & 19 deletions

File tree

.github/actions/security/snyk-container-scan/action.yml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,6 @@ inputs:
1212
description: "Whether to also run 'snyk container monitor'"
1313
required: false
1414
default: "false"
15-
projectPrefix:
16-
description: "Project prefix for Snyk dashboard (e.g., 'strimzi')"
17-
required: true
1815
snykMonitorTargetReference:
1916
description: "Value for --target-reference in 'snyk container monitor' (e.g. release version). Defaults to the image tag."
2017
required: false

.github/actions/security/snyk-maven-scan/action.yml

Lines changed: 29 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,17 @@ inputs:
66
description: "Whether to also run 'snyk monitor'"
77
required: false
88
default: "false"
9-
projectPrefix:
10-
description: "Project prefix for Snyk dashboard and SARIF naming (e.g., 'strimzi')"
9+
scanName:
10+
description: "Name used for SARIF file naming, upload category, and tool display name (e.g., 'strimzi')"
1111
required: true
1212
uploadToCodeScanning:
1313
description: "Whether to upload SARIF results to GitHub Code Scanning"
1414
required: false
1515
default: "true"
16+
exclude:
17+
description: "Comma-separated list of directories to exclude from scanning (e.g., 'mockkube,test')"
18+
required: false
19+
default: ""
1620

1721
runs:
1822
using: "composite"
@@ -24,38 +28,46 @@ runs:
2428
shell: bash
2529
continue-on-error: true
2630
run: |
31+
EXCLUDE_FLAG=""
32+
if [ -n "${{ inputs.exclude }}" ]; then
33+
EXCLUDE_FLAG="--exclude=${{ inputs.exclude }}"
34+
fi
2735
snyk test \
2836
--all-projects \
29-
--sarif-file-output=snyk-maven-${{ inputs.projectPrefix }}.sarif \
37+
$EXCLUDE_FLAG \
38+
--sarif-file-output=snyk-maven-${{ inputs.scanName }}.sarif \
3039
--json-file-output=snyk-results.json
3140
3241
# This is used to set severity score to 0.0 for those results that has empty value for it.
3342
# Empty value is not supported by GitHub Code Scanning page
43+
# It also set tool.driver.name to distinguish between different tools within UI
3444
- name: Sanitize SARIF security-severity values
3545
shell: bash
3646
run: |
37-
SARIF_FILE="snyk-maven-${{ inputs.projectPrefix }}.sarif"
47+
SARIF_FILE="snyk-maven-${{ inputs.scanName }}.sarif"
3848
if [ -f "$SARIF_FILE" ]; then
39-
jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |=
40-
if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0"
41-
else .
42-
end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE"
49+
jq --arg name "Snyk Maven (${{ inputs.scanName }})" '
50+
(.runs[].tool.driver.name) = $name |
51+
(.runs[].tool.driver.rules[]?.properties."security-severity") |=
52+
if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0"
53+
else .
54+
end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE"
4355
fi
4456
4557
- name: Upload SARIF to GitHub Code Scanning
4658
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
4759
if: ${{ always() && inputs.uploadToCodeScanning == 'true' }}
4860
with:
49-
sarif_file: snyk-maven-${{ inputs.projectPrefix }}.sarif
50-
category: snyk-maven-${{ inputs.projectPrefix }}
61+
sarif_file: snyk-maven-${{ inputs.scanName }}.sarif
62+
category: snyk-maven-${{ inputs.scanName }}
5163
wait-for-processing: true
5264

5365
- name: Upload SARIF as workflow artifact
5466
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
5567
if: always()
5668
with:
57-
name: snyk-maven-${{ inputs.projectPrefix }}.sarif
58-
path: snyk-maven-${{ inputs.projectPrefix }}.sarif
69+
name: snyk-maven-${{ inputs.scanName }}.sarif
70+
path: snyk-maven-${{ inputs.scanName }}.sarif
5971
retention-days: 30
6072

6173
# Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
@@ -64,4 +76,8 @@ runs:
6476
shell: bash
6577
continue-on-error: true
6678
run: |
67-
snyk monitor --all-projects --target-reference="${GITHUB_REF_NAME}"
79+
EXCLUDE_FLAG=""
80+
if [ -n "${{ inputs.exclude }}" ]; then
81+
EXCLUDE_FLAG="--exclude=${{ inputs.exclude }}"
82+
fi
83+
snyk monitor --all-projects $EXCLUDE_FLAG --target-reference="${GITHUB_REF_NAME}"

.github/workflows/test-snyk.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
snykMonitor: "false"
6363
# Keep false to avoid uploading results to GitHub Code Scanning page
6464
uploadToCodeScanning: "false"
65-
projectPrefix: test-drain-cleaner
65+
scanName: test-drain-cleaner
6666
env:
6767
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
6868

@@ -207,7 +207,6 @@ jobs:
207207
snykMonitor: "false"
208208
snykMonitorTargetReference: "latest"
209209
uploadToCodeScanning: "false"
210-
projectPrefix: test-operators
211210
env:
212211
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
213212

@@ -259,7 +258,6 @@ jobs:
259258
snykMonitorTargetReference: "latest"
260259
# Keep false to avoid uploading results to GitHub Code Scanning page
261260
uploadToCodeScanning: "false"
262-
projectPrefix: test-drain-cleaner
263261
env:
264262
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
265263

0 commit comments

Comments
 (0)