Skip to content

LCORE-858: konflux - activate SAST Snyk Checks #867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tisnik merged 1 commit into from
Dec 5, 2025
Merged

LCORE-858: konflux - activate SAST Snyk Checks #867

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .tekton/lightspeed-stack-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,8 @@ spec:
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: ARGS
value: --project-name=lightspeed-stack --report --org=dca2ca89-7e51-4a3a-b7a5-6ad5633057b8
runAfter:
- build-image-index
taskRef:
Expand Down
2 changes: 2 additions & 0 deletions .tekton/lightspeed-stack-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,6 +401,8 @@ spec:
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: ARGS
value: --project-name=lightspeed-stack --report --org=dca2ca89-7e51-4a3a-b7a5-6ad5633057b8
Comment on lines +404 to +405
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hardcoded organization UUID should be externalized to a secret.

The Snyk organization UUID (dca2ca89-7e51-4a3a-b7a5-6ad5633057b8) is hardcoded in the pipeline file. This is sensitive organizational information that should be stored as a Tekton secret or pipeline parameter rather than exposed in version control.

Consider refactoring to use a parameter or secret reference:

- name: ARGS
  value: --project-name=lightspeed-stack --report --org=$(params.snyk-org-id)

Then define snyk-org-id as a parameter that references a secret or is injected from a secure store.

🤖 Prompt for AI Agents 
In .tekton/lightspeed-stack-push.yaml around lines 404-405 the Snyk organization
UUID is hardcoded; replace the literal value with a parameter or secret
reference (for example use --org=$(params.snyk-org-id) or inject from a secret
via taskRun/pipelineResource) and update the task/pipeline definition to declare
the snyk-org-id parameter and/or mount a tekton secret reference that provides
the org ID; ensure the secret is created in the cluster and the
pipeline/task/pipelinerun binds that secret or parameter so the org UUID is no
longer stored in version control.

runAfter:
- build-image-index
taskRef:
Expand Down
Loading