Skip to content

Fix: Suppress Snyk debug logs and redirect to temp file #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 30, 2025
+17 −9
Merged

Fix: Suppress Snyk debug logs and redirect to temp file #148

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 17 additions & 9 deletions sig-security-tooling/scanning/build-deps-and-release-images.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,15 @@ if [ -z "${SNYK_TOKEN}" ]; then
fi
echo "Running snyk scan .."
EXIT_CODE=0
RESULT_UNFILTERED=$(snyk test -d --json) || EXIT_CODE=$?
DEBUG_LOG_FILE=$(mktemp)
RESULT_UNFILTERED=$(snyk test -d --json 2> "$DEBUG_LOG_FILE") || EXIT_CODE=$?
if [ $EXIT_CODE -gt 1 ]; then
Copy link
Member

@mtardy mtardy Jul 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kinda out of scope of this patch and not super familiar with this script or the error output code of snyk, but do you know if it's normal that we ignore the value 1?

Copy link
Contributor Author

@4rivappa 4rivappa Jul 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it is normal to ignore the exit code 1 (case of vulnerabilities found) from snyk commands.
We are handling it in the below json parsing !

Description of exit codes from snyk docs

Possible exit codes and their meaning:

0: success (scan completed), no vulnerabilities found
1: action_needed (scan completed), vulnerabilities found
2: failure, try to re-run command. Use -d to output the debug logs.
3: failure, no supported projects detected

And to confirm that snyk debug logs are redirected to stderr, found the pointer to debugger init.

Copy link
Member

@mtardy mtardy Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah thanks for the detailed answer, indeed 😅

Copy link
Member

@mtardy mtardy Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we could early exit then on 0 but that's not super important

Copy link
Contributor Author

@4rivappa 4rivappa Jul 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For processing the containers scan, we need to proceed (cannot early exit, here) 😅

echo "Failed to run snyk scan with exit code $EXIT_CODE "
echo "Failed to run snyk scan with exit code $EXIT_CODE"
cat "$DEBUG_LOG_FILE"
exit 1
fi
rm -f "$DEBUG_LOG_FILE"

RESULT=$(echo $RESULT_UNFILTERED | jq \
'{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version != "0.0.0"))) | select(length > 0) }')
if [[ ${RESULT} ]]; then
Expand Down Expand Up @@ -55,19 +59,23 @@ echo "Build time dependency scan completed"
echo "Fetch the list of k8s images"
curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images
while read image; do
echo "Running container image scan.."
echo "Running container image scan for $image"
EXIT_CODE=0
RESULT_UNFILTERED=$(snyk container test $image -d --json) || EXIT_CODE=$?
DEBUG_LOG_FILE=$(mktemp)
RESULT_UNFILTERED=$(snyk container test $image -d --json 2> "$DEBUG_LOG_FILE") || EXIT_CODE=$?
if [ $EXIT_CODE -gt 1 ]; then
echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED"
exit 1
echo "Failed to run snyk scan with exit code $EXIT_CODE"
cat "$DEBUG_LOG_FILE"
exit 1
fi
rm -f "$DEBUG_LOG_FILE"

RESULT=$(echo $RESULT_UNFILTERED | jq \
'{vulnerabilities: .vulnerabilities | map(select(.isUpgradable == true or .isPatchable == true)) | select(length > 0) }')
if [[ ${RESULT} ]]; then
echo "Vulnerability filtering failed"
# exit 1 (To allow other images to be scanned even if one fails)
echo "Vulnerability filtering failed"
# exit 1 (To allow other images to be scanned even if one fails)
else
echo "Scan completed image $image"
echo "Scan completed image $image"
fi
done < images