Fix: Suppress Snyk debug logs and redirect to temp file

[4rivappa]

Resolves #146

Previously, snyk debug output was printed directly to the console, cluttering CI logs.
This change redirects stderr to a temporary log file, and only displays it if the snyk command fails.

Applied changes to two snyk commands:

• snyk test -d --json
• snyk container test $image -d --json

Testing and Validation:

I have tested changes applied to the first snyk command snyk test -d --json,
TODO: Need to test the entire script once, with k/k master.

[k8s-ci-robot]

Welcome @4rivappa!

It looks like this is your first PR to kubernetes/sig-security 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/sig-security has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[mtardy]

Thanks!! Looks good overall just a few questions

[mtardy]

kinda out of scope of this patch and not super familiar with this script or the error output code of snyk, but do you know if it's normal that we ignore the value 1?

[4rivappa]

Yeah, it is normal to ignore the exit code 1 (case of vulnerabilities found) from snyk commands.
We are handling it in the below json parsing !

Description of exit codes from snyk docs

Possible exit codes and their meaning:

0: success (scan completed), no vulnerabilities found
1: action_needed (scan completed), vulnerabilities found
2: failure, try to re-run command. Use -d to output the debug logs.
3: failure, no supported projects detected

---

And to confirm that snyk debug logs are redirected to stderr, found the pointer to debugger init.

[mtardy]

ah thanks for the detailed answer, indeed 😅

[mtardy]

maybe we could early exit then on 0 but that's not super important

[4rivappa]

For processing the containers scan, we need to proceed (cannot early exit, here) 😅

[mtardy]

ah thanks for the detailed answer, indeed 😅

[mtardy]

maybe we could early exit then on 0 but that's not super important

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 4rivappa, mtardy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• sig-security-tooling/OWNERS [mtardy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtardy]

Let's ship this, I don't have a Snyk token or access to it to try this locally. We'll revert/fix if it's broken.

/lgtm

[mtardy]

Here's the place to look https://prow.k8s.io/job-history/gs/kubernetes-ci-logs/logs/ci-kubernetes-snyk-master

[mtardy]

logs look lean! https://storage.googleapis.com/kubernetes-ci-logs/logs/ci-kubernetes-snyk-master/1950508691786567680/build-log.txt that's nice thanks!