Skip to main content

Find and fix vulnerabilities in your CI/CD pipeline with Snyk and Harness

Escrito por:
Pas Apicella
Martin Ansong
wordpress-sync/blog-feature-snyk-harness

10 de dezembro de 2021

0 minutos de leitura

When DevOps emerged more than ten years ago, the main focus was to bridge the gaps between dev and ops teams. This was achieved by introducing automation to the processes of designing, building, testing, and deploying applications.

But as development teams continue to deliver faster and more frequently, security teams find it difficult to keep up. Often, they become the bottleneck in the delivery pipeline. For this reason, bringing security early into the DevOps process and embracing a DevSecOps culture has become increasingly important.

Integrating the Snyk developer-focused security platform into Harness’ unified delivery pipeline workflow ensures security and compliance testing is part of every release. This allows you to prevent applications with vulnerable dependencies and code from making their way into production. With modern tooling like Snyk and Harness, you can find, fix, and remediate through a CI/CD pipeline and mitigate the risk to the business without affecting your ability to release software quickly.

Getting started With Snyk

Snyk is a developer security platform that makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. It integrates directly into development tools, workflows, and automation pipelines.

Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Getting started with Snyk is as simple as signing up for a free account.

Getting started With Harness

Harness is the industry’s first software delivery platform that uses AI to simplify your DevOps processes — CI, CD, Feature Flags, Cloud Cost Management, and much more.

Harness enables you to build complex deployments in minutes with reusable templates, saving both time and stress. With Harness, you can build pipelines in minutes.

Getting started with Harness is as simple as heading over to harness.io and setting up a free trial account.

Prevent vulnerabilities from passing through the build and deployment process

The best way to demonstrate the combined power of Snyk and Harness is via a walkthrough, which you can set up and run for yourself. In this example, we'll use Snyk to demonstrate how to prevent vulnerabilities from passing through the build and deployment process by adding automated Snyk tests into a Harness workflow.

We use the following GitHub repository: https://github.com/mansong1/springbootemployee-api

If you wish to follow along, you will need the following:

  1. Snyk account

  2. Harness account

This tutorial makes the most sense after you’ve completed the following with Harness:

If you’ve completed/reviewed the above, you’ve learned how to set up a Harness CI workflow.

Seven steps for running Snyk tests in Harness

Step 1: Create a Snyk API token secret

You need a Snyk API token to perform Snyk CLI tests. For enterprise customers, you can set up service accounts and create a token through Snyk App. For non-enterprise Snyk accounts, including our free Snyk tier, you can use the main user token.

Next, create a secret in Harness to store your Snyk API token by following these steps.

Step 2: Create a new pipeline

1. First, create a new project in Harness by clicking on +Project

wordpress-sync/blog-harness-add-project

2. Once you’ve created your project, go to the Continuous Integration module to create a new pipeline.

wordpress-sync/blog-harness-create-pipeline

Step 3: Add the Codebase

If this is the first CI stage in the pipeline, enable Clone Codebase in the CI Stage settings. If you have an existing pipeline with a CI stage, click Codebase. See Edit Codebase Configuration.

Step 4: Define the build farm infrastructure

In the CI stage infrastructure, define the build farm for the Codebase. See Kubernetes Cluster Build Infrastructure Setup.

Step 5: Configure a Run Snyk test

In the CI Execution, click Add Step and then click Run.

wordpress-sync/blog-harness-config-test

The Run step executes one or more commands on a container image.

Snyk offers multiple container images that wrap the Snyk CLI and come with relevant tooling for different languages. In this example, we are using the Maven version since that's what is used in this sample application.

For step settings on configuring a Run step, see Run Step Settings and add your Snyk API token.

wordpress-sync/blog-harness-optional-config

You can now reference this environment variable in the Command section of the configuration.

wordpress-sync/blog-harness-config-env

Step 6: Run the pipeline

Now you can run your Pipeline.

1. Click Save and Publish.

2. Click Run. The Pipeline Inputs settings appear.

3. In CI Codebase, click Git Branch.

4. In the Git Branch, enter the name of the branch where the Codebase is, such as master.

wordpress-sync/blog-harness-run-pipeline

5. Click Run Pipeline.

Step 7: View pipeline execution

When the workflow runs, the Snyk Test step fails because the project includes vulnerable dependencies. We can also click on the Console View toggle to see the full report.

Note: To have better control over your tests, you can pass the severity-threshold flag to the snyk test command with one of the supported options (low|medium|high|critical). With this flag, only vulnerabilities of provided level or higher will be reported

wordpress-sync/blog-harness-severity-threshold

The entire pipeline is available as YAML, also. In Builds:

  1. Click More Options.

  2. Select Edit Pipeline.

  3. Click YAML.

wordpress-sync/blog-harness-yaml

Below, you can see the entire pipeline as YAML. You can edit anything in the pipeline and run it again.

1pipeline:
2  stages:
3      - stage:
4            type: CI
5            spec:
6                infrastructure:
7                    type: KubernetesDirect
8                    spec:
9                        connectorRef: org.GKE
10                        namespace: harness-builds
11                execution:
12                    steps:
13                        - step:
14                              type: Run
15                              spec:
16                                  connectorRef: org.Dockerhub
17                                  image: snyk/snyk-cli:1.745.0-maven-3.5.4
18                                  command: |-
19                                      snyk config set api=$SNYK_TOKEN
20                                      snyk test
21                                  privileged: true
22                                  envVariables:
23                                      SNYK_TOKEN:  <+secrets.getValue("org.SNYK_TOKEN")>
24                                  resources:
25                                      limits:
26                                          memory: 1Gi
27                                          cpu: "1.0"
28                              name: Snyk Test
29                              identifier: Snyk_Test
30                cloneCodebase: true
31            name: CI
32            identifier: CI
33  properties:
34      ci:
35          codebase:
36              repoName: springbootemployee-api
37              connectorRef: org.Github
38              build: <+input>
39  projectIdentifier: Snyk
40  orgIdentifier: default
41  name: Snyk Test
42  identifier: Snyk_Test
43  description: Test local project for vulnerabilities.

CI/CD workflow

Besides scanning for application dependencies, vulnerabilities can creep in based on the choice of container used. In addition to that, misconfiguration of cloud resources attributes to the most prevalent cloud vulnerabilities exploited to access cloud data and services.

In this example, we will be building and deploying our application to Kubernetes then monitoring it using Snyk.

To build and push a container in Harness, simply follow these steps. Adding a Snyk container scanning step is similar to the Snyk Test step above.

To deploy the container to our Kubernetes cluster, see the Harness documentation. In our CD pipeline, we’ll be executing the Snyk test of our Kubernetes manifest before we do that. Adding a snyk iac test step is done via a Shell Script step.

wordpress-sync/blog-harness-script

The script executed in the Snyk IaC step is as follows:

1rm -rf springbootemployee-api || true
2
3git clone https://github.com/mansong1/springbootemployee-api
4cd springbootemployee-api
5
6SNYK_TOKEN=<+secrets.getValue("org.SNYK_TOKEN")>
7snyk config set api=$SNYK_TOKEN
8snyk iac test manifests/<+infra.namespace>/templates/*.yaml

The complete CI/CD workflow looks like this:

wordpress-sync/blog-harness-complete-1
wordpress-sync/blog-harness-complete-2

As before, this pipeline can be viewed as YAML and is located in this GitHub repo.

Snyk integrates with Kubernetes, enabling you to import and test your running workloads and identify vulnerabilities in their associated images and configurations. Once imported, Snyk continues to monitor those workloads, identifying additional security issues as new images are deployed and the workload configuration changes.

A successful deployment through our Harness CD workflow shows up in the Snyk UI as follows:

wordpress-sync/blog-harness-snyk
wordpress-sync/blog-harness-vuln

Try it now

When choosing a technology platform, it’s important to select one that places the needs of developers at the center of its solutions. It should also focus on remediating issues rather than just reporting them. Platforms with a developer-first approach can integrate security across the pipeline, helping multiple different stakeholders such as devs, sec, and ops teams get a holistic view.This helps embed a mutual DevSecOps mindset and ensures more secure software in the hands of consumers.

Thank you so much for joining us for this tutorial. Don’t forget to try Snyk and Harness today!

About the authors

Martin Ansong is a Solutions Engineer in the Harness Commercial Sales organization, working to help customers accelerate the build and delivery of their software lifecycle.

Pas Apicella is a Principal Solution Engineer APJ at Snyk, working on the Snyk platform to help customers secure their cloud native applications and enable a DevSecOps culture while still meeting the business needs.