fabasoad/pre-commit-snyk

# Snyk pre-commit hooks [](https://stand-with-ukraine.pp.ua)     ## 目录 - [Snyk pre-commit hooks](#snyk-pre-commit-hooks) - [目录](#table-of-contents) - [工作原理](#how-it-works) - [前置条件](#prerequisites) - [Hooks](#hooks) - [snyk-code](#snyk-code) - [snyk-container](#snyk-container) - [snyk-iac](#snyk-iac) - [snyk-log4shell](#snyk-log4shell) - [snyk-test](#snyk-test) - [自定义配置](#customization) - [描述](#description) - [参数](#parameters) - [Snyk](#snyk) - [pre-commit-snyk](#pre-commit-snyk) - [日志级别](#log-level) - [日志颜色](#log-color) - [Snyk 版本](#snyk-version) - [清理缓存](#clean-cache) - [示例](#examples) - [贡献](#contributions) ## 工作原理 Hook 首先会尝试使用全局安装的 `snyk` 工具。如果不存在， 则 Hook 会将 `snyk` 安装到 `.fabasoad/pre-commit-snyk` 临时目录中， 该目录将在扫描完成后被删除。 ## 前置条件 在使用此 pre-commit hook 之前，机器上必须备有以下工具： - [bash >=4.0](https://www.gnu.org/software/bash/) - [curl](https://curl.se/) - [jq](https://jqlang.github.io/jq/) ## Hooks ### snyk-code 此 hook 运行 [snyk code test](https://docs.snyk.io/snyk-cli/commands/code-test) 命令。 ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-code ``` ### snyk-container 此 hook 运行 [snyk container test](https://docs.snyk.io/snyk-cli/commands/container-test) 命令。 ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-container ``` ### snyk-iac 此 hook 运行 [snyk iac test](https://docs.snyk.io/snyk-cli/commands/iac-test) 命令。 ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-iac ``` ### snyk-log4shell 此 hook 运行 [snyk log4shell](https://docs.snyk.io/snyk-cli/commands/log4shell) 命令。 ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-log4shell ``` ### snyk-test 此 hook 运行 [snyk test](https://docs.snyk.io/snyk-cli/commands/test) 命令。 ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-test ``` ## 自定义配置 ### 描述 有 2 种方法可以为 `snyk` 和 `pre-commit-snyk` 自定义扫描 - 环境变量和传递给 [args](https://pre-commit.com/#config-args) 的参数。 你可以将参数传递给 hook，也可以直接传递给 `snyk` 本身。为了区分参数， 你需要使用 `--snyk-args` 来传递 `snyk` 参数，并使用 `--hook-args` 来传递 `pre-commit-snyk` 参数。支持的分隔符是 `=`。因此，请使用 `--hook-args=`， 而不是 `--hook-args `。请查看[示例](#examples)了解更多详情。 ### 参数 #### Snyk 你可以在本地安装 `snyk` 并运行 `snyk --help` 来查看所有可用的 参数： ``` $ snyk --version 1.1291.1 $ snyk --help CLI help Snyk CLI scans and monitors your projects for security vulnerabilities and license issues. For more information visit the Snyk website https://snyk.io For details see the CLI documentation https://docs.snyk.io/features/snyk-cli How to get started 1. Authenticate by running snyk auth. 2. Test your local project with snyk test. 3. Get alerted for new vulnerabilities with snyk monitor. Available commands To learn more about each Snyk CLI command, use the --help option, for example, snyk auth --help. Note: The help on the docs site is the same as the --help in the CLI. snyk auth Authenticate Snyk CLI with a Snyk account. snyk test Test a project for open-source vulnerabilities and license issues. Note: Use snyk test --unmanaged to scan all files for known open-source dependencies (C/C++ only). snyk monitor Snapshot and continuously monitor a project for open-source vulnerabilities and license issues. snyk container These commands test and continuously monitor container images for vulnerabilities and generate an SBOM for a container image. snyk iac These commands find and report security issues in Infrastructure as Code files; detect, track, and alert on infrastructure drift and unmanaged resources; and create a .driftigore file. snyk code The snyk code test command finds security issues using Static Code Analysis. snyk sbom Generate or test an SBOM document in ecosystems supported by Snyk. snyk log4shell Find Log4Shell vulnerability. snyk config Manage Snyk CLI configuration. snyk policy Display the .snyk policy for a package. snyk ignore Modify the .snyk policy to ignore stated issues. Debug Use -d option to output the debug logs. Configure the Snyk CLI You can use environment variables to configure the Snyk CLI and also set variables to configure the Snyk CLI to connect with the Snyk API. See Configure the Snyk CLI https://docs.snyk.io/features/snyk-cli/configure-the-snyk-cli ``` #### pre-commit-snyk 以下是 `pre-commit-snyk` 工具的优先级顺序： - 通过 `--hook-args` 作为参数传递给 hook 的参数。 - 环境变量。 - 默认值。 例如，如果你同时设置了 `PRE_COMMIT_SNYK_LOG_LEVEL=warning` 和 `--hook-args=--log-level error`，则会使用 `error` 值。 ##### 日志级别 通过此参数，你可以控制 `pre-commit-snyk` hook 输出的日志级别。 它不会影响 `snyk` 的日志级别输出。要控制 `snyk` 的日志级别输出， 请查看 [Snyk 参数](#snyk)。 - 参数名称：`--log-level` - 环境变量：`PRE_COMMIT_SNYK_LOG_LEVEL` - 可选值：`debug`, `info`, `warning`, `error` - 默认值：`info` ##### 日志颜色 通过此参数，你可以启用/禁用 `pre-commit-snyk` hook 日志的颜色。它不会影响 `snyk` 日志的颜色。 - 参数名称：`--log-color` - 环境变量：`PRE_COMMIT_SNYK_LOG_COLOR` - 可选值：`true`, `false` - 默认值：`true` ##### Snyk 版本 指定要使用的特定 `snyk` 版本。这仅在 `snyk` 未全局安装时有效， 否则将以全局安装的 `snyk` 为准。 - 参数名称：`--snyk-version` - 环境变量：`PRE_COMMIT_SNYK_SNYK_VERSION` - 可选值：[Snyk 版本](https://github.com/snyk/cli/releases) - 默认值：`latest` ##### 清理缓存 通过此参数，你可以选择保留缓存目录（`.fabasoad/pre-commit-snyk`）， 或将其删除。默认情况下，它会删除缓存目录。如果传入 `false` 参数， 则不会删除缓存目录，这意味着如果未全局安装 `snyk`， 后续的每次运行将不会再次下载 `snyk`。别忘了将缓存目录添加到 `.gitignore` 文件中。 - 参数名称：`--clean-cache` - 环境变量：`PRE_COMMIT_SNYK_CLEAN_CACHE` - 可选值：`true`, `false` - 默认值：`true` ### 示例 分别传递参数： ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-test args: - --hook-args=--log-level debug - --snyk-args=--package-manager=pip - --snyk-args=--file=requirements.txt ``` 按类别将所有参数一起传递： ``` repos: - repo: https://github.com/fabasoad/pre-commit-snyk rev: hooks: - id: snyk-iac args: - --hook-args=--log-level debug - --snyk-args=--detection-depth=1 --ignore-policy ``` ## 贡献 

标签：SOC Prime, 安全专业人员, 应用安全, 开发工具, 错误基检测, 静态代码分析