Added Snyk Step and converted to Generic Orb (ovotech#1)

* Added Snyk scan step * Remove references to migrations * Renamed orb and updated readme * Update CODEOWNERS
Samuel-West · Jul 20, 2020 · bc5d5e7 · bc5d5e7
1 parent a89ad31
commit bc5d5e7
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 29 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -5,4 +5,4 @@
 /aws-get-parameters/   @ovotech/jaws
 /tools-install/        @ovotech/orion-sre
 /with-git-deploy-key/  @ovotech/orion-sre
-/migration-lambdas/    @ovotech/orion-migration
+/versioned-lambdas/    @ovotech/orion-migration
diff --git a/migration-lambdas/README.md → versioned-lambda/README.md b/migration-lambdas/README.md → versioned-lambda/README.md
@@ -1,4 +1,4 @@
-# Orion Migration AWS Lambda Build and Deploy CircleCI Orb
+# Orion Versioned AWS Lambda Build and Deploy CircleCI Orb
 
 This orb can be used to build and deploy AWS lamba functions.
 

diff --git a/migration-lambdas/orb.yml → versioned-lambda/orb.yml b/migration-lambdas/orb.yml → versioned-lambda/orb.yml
@@ -1,8 +1,9 @@
 version: 2.1
-description: An orb to build and deploy AWS Lambda functions written in node.js for Orion Migrations.
+description: An orb to build and deploy AWS Lambda functions written in node.js for Orion Lambdas.
 
 orbs:
   aws-cli: circleci/[email protected]
+  snyk: snyk/[email protected]
 
 executors:
   lambci-node12:
@@ -19,15 +20,11 @@ jobs:
       build-bucket:
         description: "AWS S3 bucket containing lambda build artifacts"
         type: string
-        default: ovo-orion-migration-builds
+        default: ovo-orion-versioned-build
       lambda-zipfile:
         description: "Name of the zip file containing the lambda application code. Defaults to lambda.zip"
         type: string
         default: lambda.zip
-      vulnerability-audit:
-        description: "Whether or not to run the npm audit step. Defaults to true"
-        type: boolean
-        default: true
     executor: << parameters.executor >>
     steps:
       - checkout
@@ -42,26 +39,14 @@ jobs:
           key: dependency-cache-{{ checksum "package-lock.json" }}
           paths:
             - ./node_modules
-      - when:
-          condition: << parameters.vulnerability-audit >>
-          steps:
-            - run:
-                name: Vulnerability audit
-                command: |
-                  set +e
-                  yum -y install jq
-                  npm audit --json > npm-audit.log
-                  cat npm-audit.log
-
-                  critical=$(jq '.metadata.vulnerabilities.critical' npm-audit.log)
-                  high=$(jq '.metadata.vulnerabilities.high' npm-audit.log)
-                  moderate=$(jq '.metadata.vulnerabilities.moderate' npm-audit.log)
-
-                  echo "Vulnerability scan results critical $critical high $high moderate $moderate"
-                  if [ "$high" -gt 0 ] || [ "$moderate" -gt 0 ] || [ "$critical" -gt 0 ]
-                    then
-                      exit 1
-                  fi
+      - run:
+          name: Sudo install
+          command: yum install -y sudo
+      - snyk/scan:
+          token-variable: SNYK_TOKEN
+          monitor-on-build: true
+          severity-threshold: medium
+          project: ${CIRCLE_PROJECT_REPONAME}/${CIRCLE_BRANCH}
       - run:
           name: Lint
           command: npm run lint
@@ -87,7 +72,7 @@ jobs:
       build-bucket:
         description: "AWS S3 bucket containing lambda build artifacts"
         type: string
-        default: ovo-orion-migration-builds
+        default: ovo-orion-versioned-build
       lambda-zipfile:
         description: "Name of the zip file containing the lambda application code. Defaults to lambda.zip"
         type: string