Migrating to AWS CodeBuild

This guide outlines the steps for migrating your Snyk Open Source security scanning workflow from the Snyk and AWS CodePipeline integration to AWS CodeBuild. By using the Snyk CLI and the built-in capabilities of CodeBuild, you can achieve a more streamlined and configurable solution for running Snyk software composition analysis (SCA) scans in your CI/CD pipeline.

Migration goal

• Current Setup: Your workflow uses the Snyk CodePipeline plugin in a dedicated stage in CodePipeline.

• Target Setup: Snyk scanning is performed in a custom CodeBuild build step. This build step leverages the Snyk CLI directly to execute the scan and integrate the results into your pipeline.

Prerequisites

• An active AWS account with CodeBuild and CodePipeline services enabled

• Snyk account with the Snyk CLI configured

• Familiarity with CodeBuild project configuration and environment variables

• Understanding of your existing CodePipeline stages and their interaction with Snyk

Migration steps

Follow the steps in these sections to migrate your Snyk Open Source security scanning workflow from the Snyk and AWS CodePipeline integration to AWS CodeBuild

Set up CodeBuild

• Create a new CodeBuild project in your AWS account.

• Choose a compatible base image for your project based on your programming language and dependencies.

• Review how to authenticate the Snyk CLI with your account and consider using an environment variable to store sensitive information such as your Snyk CLI token.

• Configure build commands:

  • Install the Snyk CLI using the commands appropriate for your operating system.

  • Define a build command that executes the Snyk scan using the CLI.

  • Define a build command that sends a snapshot of the project to Snyk for continuous monitoring (optional).

• Review the example buildspec.yaml that follows for more details:

# buildspec.yaml
version: 0.2

phases:
  build:
    commands:
      # install the latest Snyk CLI from GitHub Releases
      - latest_version=$(curl -Is "https://github.com/snyk/cli/releases/latest" | grep "^location" | sed 's#.*tag/##g' | tr -d "\r")
      - snyk_cli_dl_linux="https://github.com/snyk/cli/releases/download/${latest_version}/snyk-linux"
      - curl -Lo /usr/local/bin/snyk $snyk_cli_dl_linux
      - chmod +x /usr/local/bin/snyk
      
      # authenticate the Snyk CLI
      - snyk auth $SNYK_TOKEN
      
      # perform a Snyk SCA scan; continue if vulnerabilities are found
      - snyk test || true
      
      # upload a snapshot of the project to Snyk for continuous monitoring
      - snyk monitor

Set up CodePipeline

For some Open Source projects, you must build the Project before testing it with the Snyk CLI. Review the Snyk documentation to determine whether Snyk requires your Project to be built before running an Open Source scan; then follow the instructions in the corresponding section below:

Snyk requires a built project

• Edit your existing CodePipeline or create a new one.

• Create a new stage to build your project, or edit the existing build stage.

• Add the commands from the example buildspec.yaml to your build stage so that the Snyk scan occurs immediately after the project is built.

Snyk does not require a built project

• Edit your existing CodePipeline or create a new one.

• Add a new build stage after your source code acquisition stage.

• Select your newly created CodeBuild project for this stage.

• Select SourceArtifact under Input artifacts to allow Snyk to scan the source code directly.

Result handling

The Snyk integration for CodePipeline only supports a limited set of Snyk CLI functionality and options. By using the Snyk CLI in CodeBuild, you have the ability to use any Snyk CLI features. However, if your goal is to replicate the behavior of the Snyk CodePipeline integration as closely as possible, you can follow these tips:

• The snyk test command produces a non-zero exit code when vulnerabilities are found. Consider adding || true to the end of the command to circumvent this behavior.

• The snyk-to-html tool can be used to produce an HTML report of scan results by running a command similar to snyk test --json | snyk-to-html -o snyk-results.html

• Use the following CLI options to reproduce behaviors you had configured in the AWS CodePipeline integration:

  • --org=<ORG_ID> - Specify the <ORG_ID> to run Snyk commands tied to a specific Snyk Organization.

  • --severity-threshold=<low|medium|high|critical> - Report only vulnerabilities at the specified level or higher.

  • --all-projects - Auto-detect all projects in the working directory.

  • --project-name=<PROJECT_NAME> - Specify a custom Snyk project name to the snyk monitor command.

Test and validate

• Trigger a manual build in your CodePipeline to test the new CodeBuild integration.

• Verify that the Snyk scan executes successfully and outputs results as expected.

• Ensure your subsequent pipeline stages handle the scan output appropriately.

Deployment

• When testing is complete, consider deploying the updated CodePipeline.

• Monitor your pipeline for successful Snyk scan execution and address any integration issues.

Conclusion

By following these steps and considerations, you can successfully migrate your security scanning workflow from the Snyk and AWS CodePipeline integration to a more streamlined and configurable solution using AWS CodeBuild.

Troubleshooting

How do I store the Snyk token in AWS Secrets Manager and use it in AWS CodeBuild?

If you use an AWS Secrets Manager environment variable, store your token in AWS Secrets Manager as plain text and ensure that your CodeBuild service role has the secretsmanager:GetSecretValue permission in IAM. The value of the environment variable in AWS CodeBuild should be set to the Secret name in AWS Secrets Manager.