Pipeline
To get faster feedback and gating within delivery, teams should add Snyk to their pipelines. If teams are practicing rapid iterations and deployments, a single scan and gate will be sufficient. Otherwise scans can be added to branch builds and pre-promotion.
Following PE's documentation update link for adding Snyk scans to CircleCI, we will:
-
Create a Snyk token for your org to connect to CircleCI
-
Use the PE's
app-analysis
orb -
Add the
app-scan
job in the appropriate workflows
By default, the orb will scan and gate. On the primary branch, the pipeline uses snyk monitor
from the CLI which publishes results to Snyk.
Use the following app-analysis orb update link:
orbs:
app-analysis: client/client-orb@4 [update link](liatrio-tag)
We recommend adding the scan job before publishing the artifact in dev, and before deploying to each higher environment. Use the following code snippet arguments update link to add the scanning job:
jobs:
- app-analysis/app-scan:
name: Snyk scan
<<: *circle-ci-context
executor: java-agent / node-agent / etc
additional-arguments: ###
fail-on-sast-issues: true / false
project-lifecycle: ###
target-reference: ###
slack-channel-id: ###
If your team uses short-lived branches instead of direct commits to main, then additional parameters may be needed to run scans on branches.
monitor-on-build:
determines whether to runsnyk monitor
and publish results to Snyk. This should befalse
on branches buttrue
on main/dev, QA, and prod workflows.- Like any other job with branch logic, use
filter
to determine which block to run in which workflow.
Checkpoint¶
- Add Snyk scans to your pipeline with the
pe-app-analysis
orb - Add where appropriate (recommended: branch builds, before publishing artifact, before promoting to higher environments)
- If present, remove Veracode from the pipeline and open a PE support request update link to offboard