diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml new file mode 100644 index 00000000000..8bddba28f17 --- /dev/null +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -0,0 +1,185 @@ +name: Snyk SCA and SAST Security Pipeline + +# ============================================================================ +# TRIGGER CONFIGURATION +# ============================================================================ +# This workflow runs on: +# - Every push to main/master branches (typical for production deployments) +# - Pull requests targeting main/master (for pre-merge security validation) +# - Manual trigger via workflow_dispatch (for on-demand testing) +on: + push: + branches: [ main, master ] + pull_request: + branches: [ main, master ] + workflow_dispatch: + +# ============================================================================ +# SNYK OPEN SOURCE (SCA) SCAN JOB +# ============================================================================ +# Software Composition Analysis (SCA) scans your open-source dependencies +# for known vulnerabilities in third-party packages +jobs: + snyk-sca-scan: + name: SCA - Snyk Open Source Scan + runs-on: ubuntu-latest + + # Required permissions for GitHub integration + permissions: + contents: read + security-events: write + + steps: + # Step 1: Check out the repository code + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Set up Node.js environment (required for npm projects) + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + + # Step 3: Install project dependencies + # This ensures Snyk can analyze the actual dependency tree + - name: Install dependencies + run: npm install + + # Step 4: Install and configure Snyk CLI + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + # Step 5: Authenticate with Snyk using organization token + # SNYK_TOKEN should be configured as a GitHub secret + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 6: Run Snyk Open Source TEST + # This scans dependencies and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # --all-projects: Scan all package manager manifests in the repo + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the step below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continue-on-error: true' to enforce the block + # - name: Snyk Open Source Test (Block on High+) + # run: | + # snyk test \ + # --severity-threshold=high \ + # --report \ + # --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + # --project-name="nodejs-goof-sca" \ + # --target-reference=${{ github.ref_name }} + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # REPORT-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test, reports to dashboard, but doesn't block the pipeline + # --report: Sends results to Snyk Dashboard for continuous monitoring + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking different environments + - name: Snyk Open Source Test & Report (Send to Dashboard) + continue-on-error: true + run: | + snyk test \ + --severity-threshold=high \ + --report \ + --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + --project-name="nodejs-goof-sca" \ + --target-reference=${{ github.ref_name }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + +# ============================================================================ +# SNYK CODE (SAST) SCAN JOB +# ============================================================================ +# Static Application Security Testing (SAST) analyzes your first-party code +# for security vulnerabilities and code quality issues + snyk-code-scan: + name: SAST - Snyk Code Scan + runs-on: ubuntu-latest + + # Required permissions for GitHub integration + permissions: + contents: read + security-events: write + + steps: + # Step 1: Check out the repository code + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Install and configure Snyk CLI + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + # Step 3: Authenticate with Snyk using organization token + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 4: Run Snyk Code TEST + # This scans your source code and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # Snyk Code analyzes: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, etc. + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the step below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continue-on-error: true' to enforce the block + # - name: Snyk Code Test (Block on High+) + # run: | + # snyk code test \ + # --severity-threshold=high \ + # --report \ + # --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + # --project-name="nodejs-goof-sast" + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # REPORT-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test, reports to dashboard, but doesn't block the pipeline + # --report: Sends SAST results to Snyk Dashboard for continuous monitoring + # --project-name: Custom name visible in Snyk UI (required for --report) + - name: Snyk Code Test & Report (Send to Dashboard) + continue-on-error: true + run: | + snyk code test \ + --severity-threshold=high \ + --report \ + --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + --project-name="nodejs-goof-sast" + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 5: SAST Results Sent to Dashboard + # The --report flag above sends Snyk Code results to the Snyk Dashboard + # Results will appear at: https://app.snyk.io/org/varner-tech-engineering/projects + # Look for project name: nodejs-goof-sast + +# ============================================================================ +# REQUIRED GITHUB SECRETS +# ============================================================================ +# To use this pipeline, configure these secrets in your GitHub repository: +# Settings > Secrets and variables > Actions > New repository secret +# +# 1. SNYK_TOKEN: Your Snyk API token +# - Get from: https://app.snyk.io/account (Account Settings > API Token) +# - Format: UUID string (e.g., 12345678-1234-1234-1234-123456789abc) +# +# 2. SNYK_ORG_ID: Your Snyk Organization ID (optional but recommended) +# - Get from: https://app.snyk.io/org/YOUR_ORG/manage/settings +# - Format: UUID string or organization slug +# - If not set, uses your default organization +# +# ============================================================================ +# DEMO TALKING POINTS +# ============================================================================ +# 1. SHIFT-LEFT SECURITY: Scans run on every commit and PR before merge +# 2. DUAL SCANNING: Both SCA (dependencies) and SAST (your code) in one pipeline +# 3. FAIL-FAST: Pipeline blocks on high/critical vulnerabilities +# 4. CONTINUOUS MONITORING: Results sent to Snyk Dashboard for tracking over time +# 5. DEVELOPER FRIENDLY: Clear feedback in PR checks and GitHub Actions UI +# 6. CUSTOMIZABLE: Adjust severity thresholds, add more Snyk scans (Container, IaC) diff --git a/azure-pipelines-snyk-sca-sast-demo.yml b/azure-pipelines-snyk-sca-sast-demo.yml new file mode 100644 index 00000000000..6840b592c29 --- /dev/null +++ b/azure-pipelines-snyk-sca-sast-demo.yml @@ -0,0 +1,258 @@ +# ============================================================================ +# AZURE DEVOPS PIPELINE - SNYK SCA AND SAST SECURITY SCANNING +# ============================================================================ +# This pipeline performs Software Composition Analysis (SCA) and +# Static Application Security Testing (SAST) using Snyk +# +# IMPORTANT: This is the Azure DevOps/TFS equivalent of the GitHub Actions workflow +# Key differences from GitHub Actions: +# - Uses 'trigger' instead of 'on' +# - Uses 'jobs' with 'steps' instead of GitHub Actions syntax +# - Uses 'script' or 'task' instead of 'run' +# - Variables are defined differently +# - Secrets accessed via $(VARIABLE_NAME) instead of ${{ secrets.NAME }} + +# ============================================================================ +# TRIGGER CONFIGURATION +# ============================================================================ +# This pipeline runs on: +# - Every push to main/master branches (CI trigger) +# - Pull requests targeting main/master (PR validation) +# - Manual trigger via Azure DevOps UI +trigger: + branches: + include: + - main + - master + +pr: + branches: + include: + - main + - master + +# ============================================================================ +# PIPELINE VARIABLES +# ============================================================================ +# Define variables used throughout the pipeline +# SNYK_TOKEN should be configured as a secret variable in Azure DevOps: +# Pipeline > Edit > Variables > New variable > Keep this value secret +variables: + nodeVersion: '18.x' + # SNYK_TOKEN: Configured as secret variable in Azure DevOps + # SNYK_ORG_ID: Configured as variable in Azure DevOps (optional) + +# ============================================================================ +# AGENT POOL CONFIGURATION +# ============================================================================ +# Specifies the build agent to use (equivalent to 'runs-on' in GitHub Actions) +pool: + vmImage: 'ubuntu-latest' + +# ============================================================================ +# PIPELINE STAGES AND JOBS +# ============================================================================ +stages: + # ========================================================================== + # STAGE 1: SNYK OPEN SOURCE (SCA) SCAN + # ========================================================================== + # Software Composition Analysis (SCA) scans your open-source dependencies + # for known vulnerabilities in third-party packages + - stage: SnykSCA + displayName: 'Snyk Open Source (SCA) Scan' + jobs: + - job: SCA_Scan + displayName: 'SCA Security Scan' + steps: + # Step 1: Check out the repository code + - checkout: self + displayName: 'Checkout code' + + # Step 2: Set up Node.js environment (required for npm projects) + - task: NodeTool@0 + displayName: 'Setup Node.js' + inputs: + versionSpec: '$(nodeVersion)' + + # Step 3: Install project dependencies + # This ensures Snyk can analyze the actual dependency tree + - script: npm install + displayName: 'Install dependencies' + + # Step 4: Install Snyk CLI + # Azure DevOps doesn't have a built-in Snyk action, so we install via npm + - script: npm install -g snyk + displayName: 'Install Snyk CLI' + + # Step 5: Authenticate with Snyk using organization token + # SNYK_TOKEN should be configured as a secret variable in Azure DevOps + - script: snyk auth $(SNYK_TOKEN) + displayName: 'Authenticate Snyk' + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 6: Run Snyk Open Source TEST + # This scans dependencies and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # --all-projects: Scan all package manager manifests in the repo + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the script below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continueOnError: true' to enforce the block + # - script: | + # snyk test \ + # --severity-threshold=high \ + # --all-projects \ + # --org=$(SNYK_ORG_ID) + # displayName: 'Snyk Open Source Test (Block on High+)' + # env: + # SNYK_TOKEN: $(SNYK_TOKEN) + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - script: | + snyk test \ + --severity-threshold=high \ + --all-projects \ + --org=$(SNYK_ORG_ID) || true + displayName: 'Snyk Open Source Test (Report Only)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 7: Run Snyk Open Source MONITOR + # This sends results to Snyk Dashboard for continuous monitoring + # Runs even if test fails (continueOnError: true) + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking different environments + - script: | + snyk monitor \ + --all-projects \ + --org=$(SNYK_ORG_ID) \ + --project-name="nodejs-goof-sca" \ + --target-reference=$(Build.SourceBranchName) + displayName: 'Snyk Open Source Monitor (Send to Dashboard)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # ========================================================================== + # STAGE 2: SNYK CODE (SAST) SCAN + # ========================================================================== + # Static Application Security Testing (SAST) analyzes your first-party code + # for security vulnerabilities and code quality issues + - stage: SnykCode + displayName: 'Snyk Code (SAST) Scan' + dependsOn: [] # Run in parallel with SCA stage + jobs: + - job: SAST_Scan + displayName: 'SAST Security Scan' + steps: + # Step 1: Check out the repository code + - checkout: self + displayName: 'Checkout code' + + # Step 2: Install Snyk CLI + - script: npm install -g snyk + displayName: 'Install Snyk CLI' + + # Step 3: Authenticate with Snyk using organization token + - script: snyk auth $(SNYK_TOKEN) + displayName: 'Authenticate Snyk' + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 4: Run Snyk Code TEST + # This scans your source code and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # Snyk Code analyzes: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, etc. + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the script below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continueOnError: true' to enforce the block + # - script: | + # snyk code test \ + # --severity-threshold=high \ + # --org=$(SNYK_ORG_ID) + # displayName: 'Snyk Code Test (Block on High+)' + # env: + # SNYK_TOKEN: $(SNYK_TOKEN) + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - script: | + snyk code test \ + --severity-threshold=high \ + --org=$(SNYK_ORG_ID) || true + displayName: 'Snyk Code Test (Report Only)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 5: Run Snyk Code MONITOR + # This sends SAST results to Snyk Dashboard for continuous monitoring + # Note: Snyk Code results are included when using 'snyk monitor' + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking + - script: | + snyk monitor \ + --org=$(SNYK_ORG_ID) \ + --project-name="nodejs-goof-sast" \ + --target-reference=$(Build.SourceBranchName) + displayName: 'Snyk Code Monitor (Send to Dashboard)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + +# ============================================================================ +# REQUIRED AZURE DEVOPS VARIABLES +# ============================================================================ +# To use this pipeline, configure these variables in Azure DevOps: +# Pipeline > Edit > Variables > New variable +# +# 1. SNYK_TOKEN (SECRET): Your Snyk API token +# - Get from: https://app.snyk.io/account (Account Settings > API Token) +# - Format: UUID string (e.g., 12345678-1234-1234-1234-123456789abc) +# - IMPORTANT: Check "Keep this value secret" when creating the variable +# +# 2. SNYK_ORG_ID (OPTIONAL): Your Snyk Organization ID +# - Get from: https://app.snyk.io/org/YOUR_ORG/manage/settings +# - Format: UUID string or organization slug +# - If not set, uses your default organization +# +# ============================================================================ +# KEY DIFFERENCES FROM GITHUB ACTIONS +# ============================================================================ +# 1. SYNTAX: +# - GitHub: 'on:' → Azure DevOps: 'trigger:' and 'pr:' +# - GitHub: 'jobs:' → Azure DevOps: 'stages:' and 'jobs:' +# - GitHub: 'runs-on:' → Azure DevOps: 'pool:' +# - GitHub: 'steps: - name:' → Azure DevOps: 'steps: - script:' or 'task:' +# +# 2. SECRETS: +# - GitHub: ${{ secrets.SNYK_TOKEN }} → Azure DevOps: $(SNYK_TOKEN) +# - Configured in: Pipeline > Variables (not repository secrets) +# +# 3. CONTEXT VARIABLES: +# - GitHub: ${{ github.ref_name }} → Azure DevOps: $(Build.SourceBranchName) +# - GitHub: ${{ github.sha }} → Azure DevOps: $(Build.SourceVersion) +# +# 4. ACTIONS vs TASKS: +# - GitHub uses pre-built actions (e.g., actions/checkout@v4) +# - Azure DevOps uses tasks or direct script commands +# - No native Snyk task, so we use 'npm install -g snyk' +# +# 5. PARALLEL EXECUTION: +# - GitHub: Jobs run in parallel by default +# - Azure DevOps: Use 'dependsOn: []' to run stages in parallel +# +# ============================================================================ +# DEMO TALKING POINTS +# ============================================================================ +# 1. SHIFT-LEFT SECURITY: Scans run on every commit and PR before merge +# 2. DUAL SCANNING: Both SCA (dependencies) and SAST (your code) in one pipeline +# 3. FAIL-FAST: Pipeline blocks on high/critical vulnerabilities (when enabled) +# 4. CONTINUOUS MONITORING: Results sent to Snyk Dashboard for tracking over time +# 5. DEVELOPER FRIENDLY: Clear feedback in PR checks and Azure DevOps UI +# 6. CROSS-PLATFORM: Works with Azure DevOps Server (TFS) and Azure DevOps Services +# 7. CUSTOMIZABLE: Adjust severity thresholds, add more Snyk scans (Container, IaC)