c2cciutils 1.6.0.dev2__py3-none-any.whl → 1.6.0.dev5__py3-none-any.whl

c2cciutils/configuration.py

@@ -813,6 +813,14 @@ PUBLISH_DOCKER_REPOSITORY_VERSIONS_DEFAULT = ["version_tag", "version_branch", "
 """Default value of the field path 'Publish Docker repository versions'"""
 
 
+PUBLISH_DOCKER_SNYK_MONITOR_ARGS_DEFAULT = ["--app-vulns"]
+"""Default value of the field path 'Publish Docker config snyk monitor_args'"""
+
+
+PUBLISH_DOCKER_SNYK_TEST_ARGS_DEFAULT = ["--app-vulns", "--severity-threshold=critical"]
+"""Default value of the field path 'Publish Docker config snyk test_args'"""
+
+
 PUBLISH_GOOGLE_CALENDAR_DEFAULT: Dict[str, Any] = {}
 """Default value of the field path 'Publish google_calendar'"""
 
@@ -984,6 +992,12 @@ class PublishDockerConfig(TypedDict, total=False):
     oneOf
     """
 
+    snyk: "_PublishDockerConfigSnyk"
+    """
+    WARNING: The required are not correctly taken in account,
+    See: https://github.com/camptocamp/jsonschema-gentypes/issues/6
+    """
+
 
 class PublishDockerImage(TypedDict, total=False):
     """Publish Docker image."""
@@ -1338,6 +1352,35 @@ class _PrintVersionsVersionsItem(TypedDict, total=False):
     """Prefix added when we print the version"""
 
 
+class _PublishDockerConfigSnyk(TypedDict, total=False):
+    """Checks the published images with Snyk"""
+
+    monitor_args: Union[List[str], Literal[False]]
+    """
+    Publish docker snyk monitor args.
+
+    The arguments to pass to the Snyk container monitor command
+
+    default:
+      - --app-vulns
+
+    oneOf
+    """
+
+    test_args: Union[List[str], Literal[False]]
+    """
+    Publish docker snyk test args.
+
+    The arguments to pass to the Snyk container test command
+
+    default:
+      - --app-vulns
+      - --severity-threshold=critical
+
+    oneOf
+    """
+
+
 _VersionTransformItem = TypedDict(
     "_VersionTransformItem",
     {

c2cciutils/schema.json

@@ -469,6 +469,40 @@
                 },
                 { "const": false }
               ]
+            },
+            "snyk": {
+              "description": "Checks the published images with Snyk",
+              "type": "object",
+              "properties": {
+                "monitor_args": {
+                  "description": "The arguments to pass to the Snyk container monitor command",
+                  "title": "Publish docker snyk monitor args",
+                  "default": ["--app-vulns"],
+                  "oneOf": [
+                    {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    { "const": false }
+                  ]
+                },
+                "test_args": {
+                  "description": "The arguments to pass to the Snyk container test command",
+                  "title": "Publish docker snyk test args",
+                  "default": ["--app-vulns", "--severity-threshold=critical"],
+                  "oneOf": [
+                    {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    { "const": false }
+                  ]
+                }
+              }
             }
           }
         },

c2cciutils/scripts/publish.py

@@ -305,28 +305,43 @@ def main() -> None:
 
         snyk_exec, env = c2cciutils.snyk_exec()
         for image in images_snyk:
-            if version_type in ("version_branch", "version_tag"):
-                subprocess.run(  # pylint: disable=subprocess-run-check
-                    [
-                        snyk_exec,
-                        "container",
-                        "monitor",
-                        "--app-vulns",
-                        # Available only on the business plan
-                        # f"--project-tags=tag={image.split(':')[-1]}",
-                        image,
-                    ],
-                    env=env,
+            print(f"::group::Snyk check {image}")
+            sys.stdout.flush()
+            sys.stderr.flush()
+            try:
+                if version_type in ("version_branch", "version_tag"):
+                    monitor_args = docker_config.get("snyk", {}).get(
+                        "monitor_args",
+                        c2cciutils.configuration.PUBLISH_DOCKER_SNYK_MONITOR_ARGS_DEFAULT,
+                    )
+                    if monitor_args is not False:
+                        subprocess.run(  # pylint: disable=subprocess-run-check
+                            [
+                                snyk_exec,
+                                "container",
+                                "monitor",
+                                *monitor_args,
+                                # Available only on the business plan
+                                # f"--project-tags=tag={image.split(':')[-1]}",
+                                image,
+                            ],
+                            env=env,
+                        )
+                test_args = docker_config.get("snyk", {}).get(
+                    "test_args", c2cciutils.configuration.PUBLISH_DOCKER_SNYK_TEST_ARGS_DEFAULT
                 )
-            # Currently just for information
-            subprocess.run(  # pylint: disable=subprocess-run-check
-                [snyk_exec, "container", "test", "--app-vulns", "--severity-threshold=high", image], env=env
-            )
-            subprocess.run(
-                [snyk_exec, "container", "test", "--app-vulns", "--severity-threshold=critical", image],
-                check=not based_on_master and version_type == "version_branch",
-                env=env,
-            )
+                if test_args is not False:
+                    subprocess.run(
+                        [snyk_exec, "container", "test", *test_args, image],
+                        check=not based_on_master and version_type == "version_branch",
+                        env=env,
+                    )
+
+                print("::endgroup::")
+            except subprocess.CalledProcessError as exception:
+                print(f"Error: {exception}")
+                print("::endgroup::")
+                print("::error::With error")
 
         versions_config = c2cciutils.lib.docker.get_versions_config()
         dpkg_success = True

{c2cciutils-1.6.0.dev2.dist-info → c2cciutils-1.6.0.dev5.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: c2cciutils
-Version: 1.6.0.dev2
+Version: 1.6.0.dev5
 Summary: Common utilities for Camptocamp CI
 Home-page: https://github.com/camptocamp/c2cciutils
 License: FreeBSD

{c2cciutils-1.6.0.dev2.dist-info → c2cciutils-1.6.0.dev5.dist-info}/RECORD

@@ -6,7 +6,7 @@ c2cciutils/audit.py,sha256=1tYkhqeMLh8-OD5vnnTyXMWfYyF8hcIKpg48yVna6xU,8625
 c2cciutils/branches.graphql,sha256=UZrj1RO-H527M1SKqWm1VnkWtNsuKTnPTf4BCU2YcOU,358
 c2cciutils/checks.py,sha256=11SSP06M4FwaHh4d_QzGQqZ_vxIulOzDSQF4aS6dpOI,15777
 c2cciutils/commits.graphql,sha256=3HAuIEig5V7j1L-6mqBaOkiTD3Fb8_gl1ilpZjPJf74,308
-c2cciutils/configuration.py,sha256=d2ytgVLKeut9pT6FP_ujTT_TEMoAkQmmQRqbqj2uANA,30208
+c2cciutils/configuration.py,sha256=bpkolt3wgMYyJ06hU6YKaZ-xPqoT1ZUZfDKzRZkP4Mo,31268
 c2cciutils/default_branch.graphql,sha256=CaP3rRsNiyg_7RvqbMk0tOJr0aqWd8cOeSV-ZKgvKY4,131
 c2cciutils/lib/docker.py,sha256=LcGIUJhY8tvKzpS0NpsCQI68tGuPOt99XwezuV-ZKDc,5415
 c2cciutils/node_modules/@pkgr/utils/lib/browser.js,sha256=mDk2AdEH8Asv6rUvn3Gco50TCa8FpOx1jUCnreml5YY,3498
@@ -615,7 +615,7 @@ c2cciutils/prettier.js,sha256=PR96NT85pxZx_wPcfKa6B7_z_Gw_Yp4SCRX8cL_GfLU,588
 c2cciutils/prettier.py,sha256=yxEeaWvbcrgUWtC9jOgo2f_C76pjFpHrWCP1bk0wF1E,5207
 c2cciutils/publish.py,sha256=2cl1GeyRN6odMLkFnzJsoIud8YmcIsX0v2R6yY7TryY,17707
 c2cciutils/schema-applications.json,sha256=Uc-U2xER-FrR67ec-67K2C9kvHFO7hBlAEAQhrdUKoA,1548
-c2cciutils/schema.json,sha256=khJO25K7ZE7ogo3i_1np3JNJ4TGvmPLIWW_mpvNRmOM,28935
+c2cciutils/schema.json,sha256=Mz3NoKCq_9ShRdn8dv7DA2mhgXCjNjIdZ2nmKCe724Y,30199
 c2cciutils/scripts/__init__.py,sha256=N4tcdvUifXQrK9vEvFWrGvoyY9oZ0uRcjb-FoYe41cc,36
 c2cciutils/scripts/audit.py,sha256=yMXtRoOJoAuLwRlON2czpOfl8y9xQYsHEYhzHvalcNE,984
 c2cciutils/scripts/checks.py,sha256=AYv-qr3UXpN3pnvx5tLkt1Lvc00WTvz8UBDEUpt4hgg,2039
@@ -631,11 +631,11 @@ c2cciutils/scripts/k8s/wait.py,sha256=qzQn6hbB9p1CX4bUxrkukPnbu_p6oRNem29WiMtplN
 c2cciutils/scripts/main.py,sha256=pj9gPIrmDUctVPEtaQQGZo-7k7mMeIs14sKQ7w6Sw1Y,1162
 c2cciutils/scripts/pin_pipenv.py,sha256=jBTwlolcEL0MUyq6VYzO-adkcL1gqN7B3kBb3UjTo2k,2150
 c2cciutils/scripts/pr_checks.py,sha256=SSMisUpKipdf3GsgJ4Jk2ZQL7rO2N61O4N4fJLxr810,2105
-c2cciutils/scripts/publish.py,sha256=IRhNNcU3_gxZC9fi9zW17Q_2LRB6e8NFeTtP_rRBDZU,17139
+c2cciutils/scripts/publish.py,sha256=VGxh8Z-jqHgM-5Fb_Queo1i2QzVVXY7UtaafB8EtWhk,17859
 c2cciutils/scripts/trigger_image_update.py,sha256=yYa0BLn-LGrQ1GXlvI5ok8qbV-yCJ12UObS857SuXcc,2804
 c2cciutils/security.py,sha256=k5piTZf6HWIPEAf63vbE06vZKJ62CSS7e_6WXHf4o7Q,1517
-c2cciutils-1.6.0.dev2.dist-info/entry_points.txt,sha256=HahcOZlCfYF4B95pG1CRD_noaFmhDzEoN5YqxLyucyE,939
-c2cciutils-1.6.0.dev2.dist-info/LICENSE,sha256=pK1gU5i1jYBv--vi5omcf6-86pYmAWk6ZGbdERjAgcw,1307
-c2cciutils-1.6.0.dev2.dist-info/WHEEL,sha256=gSF7fibx4crkLz_A-IKR6kcuq0jJ64KNCkG8_bcaEao,88
-c2cciutils-1.6.0.dev2.dist-info/METADATA,sha256=nyOMys1z5d04B15w_D6Stbbnd4EYsB5VGDHhV3R0lZs,17195
-c2cciutils-1.6.0.dev2.dist-info/RECORD,,
+c2cciutils-1.6.0.dev5.dist-info/entry_points.txt,sha256=HahcOZlCfYF4B95pG1CRD_noaFmhDzEoN5YqxLyucyE,939
+c2cciutils-1.6.0.dev5.dist-info/LICENSE,sha256=pK1gU5i1jYBv--vi5omcf6-86pYmAWk6ZGbdERjAgcw,1307
+c2cciutils-1.6.0.dev5.dist-info/WHEEL,sha256=gSF7fibx4crkLz_A-IKR6kcuq0jJ64KNCkG8_bcaEao,88
+c2cciutils-1.6.0.dev5.dist-info/METADATA,sha256=1Y68T_lRWo1PZkqZR1EUQVWCigkKbPQ3_X_ISpFUFd0,17195
+c2cciutils-1.6.0.dev5.dist-info/RECORD,,