Setup periodic snyk monitoring per branch (elastic#88522)

Adds a new ci Jenkins job configuration for running snyk dependency monitoring on a daily basis. We setup a service account in snyk and resolve the api token for publishing in vault. Related to elastic#87620
breskeby · Jul 15, 2022 · 1335b2f · 1335b2f
1 parent 6d7e2fd
commit 1335b2f
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/.ci/jobs.t/elastic+elasticsearch+periodic+snyk-dependency-monitoring-trigger.yml b/.ci/jobs.t/elastic+elasticsearch+periodic+snyk-dependency-monitoring-trigger.yml
@@ -0,0 +1,6 @@
+---
+jjbb-template: periodic-trigger-lgc.yml
+vars:
+  - periodic-job: elastic+elasticsearch+%BRANCH%+snyk-dependency-monitoring
+  - lgc-job: elastic+elasticsearch+%BRANCH%+intake
+  - cron: "H H * * *"
diff --git a/.ci/jobs.t/elastic+elasticsearch+periodic+snyk-dependency-monitoring.yml b/.ci/jobs.t/elastic+elasticsearch+periodic+snyk-dependency-monitoring.yml
@@ -0,0 +1,22 @@
+---
+- job:
+    name: elastic+elasticsearch+%BRANCH%+snyk-dependency-monitoring
+    workspace: /dev/shm/elastic+elasticsearch+%BRANCH%+snyk-dependency-monitoring
+    display-name: "elastic / elasticsearch # %BRANCH% - snyk dependency monitoring"
+    description: "Publishing of the Elasticsearch %BRANCH% dependencies graph to snyk dependency monitoring"
+    builders:
+      - inject:
+          properties-file: '.ci/java-versions.properties'
+          properties-content: |
+            JAVA_HOME=$HOME/.java/$ES_BUILD_JAVA
+            RUNTIME_JAVA_HOME=$HOME/.java/$ES_RUNTIME_JAVA
+      - shell: |
+          #!/usr/local/bin/runbld --redirect-stderr
+          set -euo pipefail
+          set +x
+          VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_ROLE_ID secret_id=$VAULT_SECRET_ID)
+          export VAULT_TOKEN
+          export SNYK_TOKEN=$(vault read -field=token secret/elasticsearch-ci/snyk)
+          unset VAULT_TOKEN
+          set -x
+          $WORKSPACE/.ci/scripts/run-gradle.sh uploadSnykDependencyGraph
diff --git a/...ain/java/org/elasticsearch/gradle/internal/snyk/SnykDependencyMonitoringGradlePlugin.java b/...ain/java/org/elasticsearch/gradle/internal/snyk/SnykDependencyMonitoringGradlePlugin.java
@@ -47,7 +47,7 @@ public void apply(Project project) {
 
         project.getTasks().register(UPLOAD_TASK_NAME, UploadSnykDependenciesGraph.class, t -> {
             t.getInputFile().set(generateTaskProvider.get().getOutputFile());
-            t.getToken().set(providerFactory.gradleProperty("snykToken"));
+            t.getToken().set(providerFactory.environmentVariable("SNYK_TOKEN"));
             // the elasticsearch snyk project id
             t.getProjectId().set(providerFactory.gradleProperty("snykProjectId"));
         });