CI: rework so script is called four times

cyber-dojo · Dec 28, 2023 · 6bcfbdd · 6bcfbdd
1 parent 2faf89e
commit 6bcfbdd
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 51 deletions.
diff --git a/.github/workflows/snyk_scan_aws_prod.yml → .github/workflows/snyk_scan_aws_envs.yml b/.github/workflows/snyk_scan_aws_prod.yml → .github/workflows/snyk_scan_aws_envs.yml
@@ -53,5 +53,26 @@ jobs:
 
       - name: Run Snyk
         run: |
-          KOSLI_ENVIRONMENT=aws-prod
-          ./snyk_scan_live_artifacts_and_report_to_kosli.sh "${KOSLI_ENVIRONMENT}"
+          # What https://app.kosli.com says is running in aws-prod
+          ./snyk_scan_live_artifacts_and_report_to_kosli.sh \
+            aws-prod \
+            "${KOSLI_HOST_PROD}" \
+            "${KOSLI_API_TOKEN_PROD}"
+
+          # What https://app.kosli.com says is running in aws-beta
+          ./snyk_scan_live_artifacts_and_report_to_kosli.sh \
+            aws-beta \
+            "${KOSLI_HOST_PROD}" \
+            "${KOSLI_API_TOKEN_PROD}"
+
+          # What https://staging.app.kosli.com says is running in aws-prod
+          ./snyk_scan_live_artifacts_and_report_to_kosli.sh \
+            aws-prod \
+            "${KOSLI_HOST_STAGING}" \
+            "${KOSLI_API_TOKEN_STAGING}"
+
+          # What https://staging.app.kosli.com says is running in aws-beta
+          ./snyk_scan_live_artifacts_and_report_to_kosli.sh \
+            aws-beta \
+            "${KOSLI_HOST_STAGING}" \
+            "${KOSLI_API_TOKEN_STAGING}"
diff --git a/snyk_scan_live_artifacts_and_report_to_kosli.sh b/snyk_scan_live_artifacts_and_report_to_kosli.sh
@@ -4,14 +4,11 @@ set -Eeu
 root_dir() { git rev-parse --show-toplevel; }
 source "$(root_dir)/scripts/exit_non_zero_unless_installed.sh"
 
-export KOSLI_ENVIRONMENT="${1}"
 export KOSLI_FLOW=regular-snyk-scan
-# Set in CI
-# KOSLI_HOST
-# KOSLI_HOST_STAGING
-# KOSLI_ORG
-# KOSLI_API_TOKEN
-# KOSLI_API_TOKEN_STAGING
+export KOSLI_ENVIRONMENT="${1}"
+export KOSLI_HOST="${2}"
+export KOSLI_API_TOKEN="${3}"
+# KOSLI_ORG # Set in CI
 
 
 snyk_scan_live_artifacts_and_report_any_new_vulnerabilities_to_kosli()
@@ -47,13 +44,10 @@ report_snyk_vulnerabilities_to_kosli()
     local -r snyk_policy_filename=.snyk
 
     if [ "${flow}" == "" ]; then
-      return  # The artifact has no provenance
+      echo "Artifact ${image_name} in Environment ${KOSLI_ENVIRONMENT} has no provenance in ${KOSLI_HOST}"
+      return
     fi
 
-    #    if [ "${flow}" != "runner" ]; then
-    #      return  # On aws-prod, first try with just one flow
-    #    fi
-
     # All cyber-dojo microservice repos hold a .snyk policy file.
     # This is an empty file when no vulnerabilities are turned-off.
     # Ensure we get the .snyk file for the given artifact's git commit.
@@ -67,46 +61,24 @@ report_snyk_vulnerabilities_to_kosli()
         --policy-path="${snyk_policy_filename}"
     set -e
 
-    kosli_create_flow()
-    {
-      kosli create flow "${KOSLI_FLOW}" \
-        --description="Scan of deployed Artifacts running in their Environment" \
-        --template=artifact,snyk-scan \
-        "$@"
-    }
-    kosli_report_artifact()
-    {
-      kosli report artifact "${image_name}" \
-        --artifact-type=docker \
-        "$@"
-    }
-    kosli_attest_snyk()
-    {
-      kosli report evidence artifact snyk \
-        --fingerprint="${fingerprint}" \
-        --name=snyk-scan \
-        --scan-results="${snyk_output_json_filename}" \
-        "$@"
-    }
-    kosli_expect_deployment()
-    {
-      kosli expect deployment \
-        --fingerprint="${fingerprint}" \
-        --description="Deployed in ${KOSLI_ENVIRONMENT}" \
-        --environment="${KOSLI_ENVIRONMENT}" \
-        "$@"
-    }
+    kosli create flow "${KOSLI_FLOW}" \
+      --description="Scan of deployed Artifacts running in their Environment" \
+      --template=artifact,snyk-scan
+
     docker pull "${image_name}"
 
-    kosli_create_flow       --host="${KOSLI_HOST_PROD}"    --api-token="${KOSLI_API_TOKEN_PROD}"
-    kosli_report_artifact   --host="${KOSLI_HOST_PROD}"    --api-token="${KOSLI_API_TOKEN_PROD}"
-    kosli_attest_snyk       --host="${KOSLI_HOST_PROD}"    --api-token="${KOSLI_API_TOKEN_PROD}"
-    kosli_expect_deployment --host="${KOSLI_HOST_PROD}"    --api-token="${KOSLI_API_TOKEN_PROD}"
+    kosli report artifact "${image_name}" \
+        --artifact-type=docker
+
+    kosli report evidence artifact snyk \
+      --fingerprint="${fingerprint}" \
+      --name=snyk-scan \
+      --scan-results="${snyk_output_json_filename}"
 
-    kosli_create_flow       --host="${KOSLI_HOST_STAGING}" --api-token="${KOSLI_API_TOKEN_STAGING}"
-    kosli_report_artifact   --host="${KOSLI_HOST_STAGING}" --api-token="${KOSLI_API_TOKEN_STAGING}"
-    kosli_attest_snyk       --host="${KOSLI_HOST_STAGING}" --api-token="${KOSLI_API_TOKEN_STAGING}"
-    kosli_expect_deployment --host="${KOSLI_HOST_STAGING}" --api-token="${KOSLI_API_TOKEN_STAGING}"
+    kosli expect deployment \
+      --fingerprint="${fingerprint}" \
+      --description="Deployed in ${KOSLI_ENVIRONMENT}" \
+      --environment="${KOSLI_ENVIRONMENT}"
 }
 
 exit_non_zero_unless_installed kosli snyk jq