This API uses components from the LAA CCMS Common Library:
Feature branches be used to create deployments to development or test environments in Cloud Platform (Amazon EKS), via our Helm Chart repository.
The feature branches must be in the form:
feature-dev/<short name / ticket number>- deploy todevelopmentfeature-test/<short name / ticket number>- deploy totest
These branches trigger the Deploy feature pipeline which will publish an image and update the helm chart that corresponds to this service with the published image version. This will then trigger a deployment. See Feature deployments in the Helm chart repository for more details.
This project publishes vulnerability scans to the LAA Snyk Dashboard (Google SSO).
If you cannot see the LAA organisation when logged into the dashboard, please ask your lead developer/architect to have you added.
Scans will be triggered in two ways:
- Main branch - on commit, a vulnerability scan will be run and published to both the Snyk server and GitHub Code Scanning. Vulnerabilites will not fail the build.
- Feature branches - on commit, a vulnerability scan will be run to identify any new vulnerabilites (compared to the main branch). If new vulnerabilites have been raised. A code scan will also run to identify known security issues within the source code. If any issues are found, the build will fail.
To run Snyk locally, you will need to install the Snyk CLI.
Once installed, you will be able to run the following commands:
snyk testFor open-source vulnerabilies and licence issues. See snyk test.
snyk code testFor Static Application Security Testing (SAST) - known security issues. See snyk code test.
A JetBrains Plugin is also available to integrate with your IDE. In addition to vulnerabilities, this plugin will also report code quality issues.
The .snyk file is used to configure exclusions for scanning. If a vulnerability is not deemed to be a threat, or will be dealt with later, it can be added here to stop the pipeline failing. See documentation for more details.
Snyk may report that new vulnerabilities have been introduced on a feature branch and fail the pipeline, even if this is not the case. As newly identified vulnerabilities are always being published, the report for the main branch may become outdated when a new vulnerability is published.
If you think this may be the case, simply re-run the monitor command against the main branch
to update the report on the Snyk server, then re-run your pipeline.
Please ensure this matches the command used by the pr-merge-main workflow to maintain consistency.
snyk monitor --org=legal-aid-agency --all-projects --exclude=build,generated --target-reference=mainYou should then see the new vulnerability in the LAA Dashboard, otherwise it is a new vulnerability introduced on the feature branch that needs to be resolved.