Merge pull request #111 from snyk/develop

chore: Permit snyk monitor command to be overridden

.circleci/test-deploy.yml

@@ -58,6 +58,56 @@ commands:
             test-only-param_fail-on-no-cache-used: << parameters.test-only-param_fail-on-no-cache-used >>
             test-only-param_dry-run-commands: << parameters.test-only-param_dry-run-commands >>
 
+  container-scan:
+    description: test the scan functionality on containers
+    parameters:
+      fail-on-issues:
+        type: boolean
+        default: false
+      monitor-on-build:
+        type: boolean
+        default: false
+      no-cache:
+        type: boolean
+        default: false
+      additional-arguments:
+        type: string
+        default: ''
+      additional-monitor-arguments:
+        type: string
+        default: ''
+
+      test-only-param_fail-on-no-cache-used:
+        type: boolean
+        default: false
+      test-only-param_dry-run-commands:
+        type: boolean
+        default: false
+
+    steps:
+      - setup_remote_docker
+
+      - run:
+          name: Setup test repository
+          command: |
+            git clone https://github.com/snyk-labs/nodejs-goof || echo "Repository already exists, no cloning needed."
+            cd nodejs-goof
+            docker build -t nodejs-goof .
+
+      - snyk/scan:
+          docker-image-name: nodejs-goof
+          command: container test
+          monitor-command: container monitor
+
+          fail-on-issues: << parameters.fail-on-issues >>
+          monitor-on-build: << parameters.monitor-on-build >>
+          no-cache: << parameters.no-cache >>
+          additional-arguments: << parameters.additional-arguments >>
+          additional-monitor-arguments: << parameters.additional-monitor-arguments >>
+
+          test-only-param_fail-on-no-cache-used: << parameters.test-only-param_fail-on-no-cache-used >>
+          test-only-param_dry-run-commands: << parameters.test-only-param_dry-run-commands >>
+
   validate-dry-run-commands:
     description: validation hook to test the output of commands run under dry-run mode
     parameters:
@@ -127,6 +177,18 @@ jobs:
             snyk test --severity-threshold=low --file=nodejs-goof/package.json --print-deps
             snyk monitor --file=nodejs-goof/package.json --print-deps --project-tags=component=pkg:github.com/snyk-labs/nodejs-goof
 
+  scan-container-test-and-monitor:
+    docker:
+      - image: cimg/base:current
+    steps:
+      - container-scan:
+          test-only-param_dry-run-commands: true
+          monitor-on-build: true
+      - validate-dry-run-commands:
+          expected-commands: |
+            snyk container test --docker nodejs-goof --severity-threshold=low
+            snyk container monitor --docker nodejs-goof
+
 workflows:
   test-deploy:
     jobs:
@@ -159,3 +221,8 @@ workflows:
           context:
             - hammerhead-snyk-orb-snyk-creds
           filters: *filters
+
+      - scan-container-test-and-monitor:
+          context:
+            - hammerhead-snyk-orb-snyk-creds
+          filters: *filters

README.md

@@ -98,6 +98,7 @@ Full reference docs https://circleci.com/orbs/registry/orb/snyk/snyk
 | Parameter                    | Description                                                                                                                            | Required | Default    | Type                           |
 |------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|----------|------------|--------------------------------|
 | command                      | The CLI command (i.e. "test", "iac test") to execute                                                                                   | no       | test       | string                         |
+| monitor-command              | The CLI monitor command (i.e. "monitor", "container monitor") to execute                                                               | no       | monitor    | string                         |
 | token-variable               | Name of env var containing your Snyk API token                                                                                         | no       | SNYK_TOKEN | env_var_name                   |
 | severity-threshold           | Only report vulnerabilities of provided level or higher (low/medium/high/critical)                                                     | no       | low        | low \| med \| high \| critical |
 | fail-on-issues               | This specifies if builds should be failed or continued based on issues found by Snyk                                                   | no       | true       | boolean                        |

src/commands/scan.yml

@@ -5,6 +5,11 @@ parameters:
       The Snyk command to call, i.e. "test" or "iac test"
     type: string
     default: "test"
+  monitor-command:
+    description: >
+      The Snyk monitoring command to call, i.e. "monitor" or "container monitor"
+    type: string
+    default: "monitor"
   token-variable:
     description: >
       Name of env var containing your Snyk API token. Pass this as a raw string such as CICD_SNYK_TOKEN.
@@ -124,7 +129,7 @@ steps:
               SNYK_INTEGRATION_VERSION: REPLACE_ORB_VERSION
             command: >
               <<#parameters.test-only-param_dry-run-commands>>function capture() { echo "$@" | tee -a /tmp/dry-run-snyk-commands.txt; }; capture<</parameters.test-only-param_dry-run-commands>>
-              snyk monitor
+              snyk <<parameters.monitor-command>>
               <<#parameters.docker-image-name>>--docker <<parameters.docker-image-name>><</parameters.docker-image-name>>
               <<#parameters.project>>--project-name=<<parameters.project>><</parameters.project>>
               <<#parameters.organization>>--org=<<parameters.organization>><</parameters.organization>>