feat: add container support for remote-repo-url UNIFY-506

snyk · Feb 20, 2025 · 349a17d · 349a17d
1 parent eecfa00
commit 349a17d
Show file tree

Hide file tree

Showing 8 changed files with 62 additions and 12 deletions.
diff --git a/help/cli-commands/container-monitor.md b/help/cli-commands/container-monitor.md
@@ -78,6 +78,12 @@ Specify a reference that differentiates this project, for example, a branch name
 
 For more information see [Group projects by branch or version for monitoring](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/group-projects-by-branch-or-version-for-monitoring)
 
+### `--remote-repo-url=<URL>`
+
+Set or override the remote URL for the image that you would like to monitor.
+
+Groups container images under the same target with other monitored projects.
+
 ### `--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>`
 
 Set the project environment to one or more values (comma-separated). To clear the project environment set `--project-environment=`

diff --git a/help/cli-commands/container-test.md b/help/cli-commands/container-test.md
@@ -110,6 +110,12 @@ In CLI versions 1.1090.0 (2023-01-24) and higher, Snyk scans for application dep
 
 In CLI versions 1.962.0 through v1.1089.0, use the `--app-vulns` option with the the `--json` option to see the operating system as well as application vulnerabilities in JSON format in the results.
 
+### `--remote-repo-url=<URL>`
+
+Set or override the remote URL for the image that you would like to test.
+
+Groups container images under the same target with other monitored projects.
+
 ### `--exclude-app-vulns`
 
 Allow disabling scans for app vulnerabilities; in CLI versions 1.1090.0 (2023-01-24) and higher, `app-vulns` is enabled by default.

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -117,7 +117,7 @@
     "semver": "^6.0.0",
     "snyk-config": "^5.0.0",
     "snyk-cpp-plugin": "2.24.0",
-    "snyk-docker-plugin": "6.17.0",
+    "snyk-docker-plugin": "git+ssh://[email protected]:snyk/snyk-docker-plugin.git#feat/container-remote-repo-url",
     "snyk-go-plugin": "1.23.0",
     "snyk-gradle-plugin": "4.9.0",
     "snyk-module": "3.1.0",

diff --git a/src/cli/commands/monitor/index.ts b/src/cli/commands/monitor/index.ts
@@ -92,9 +92,6 @@ export default async function monitor(...args0: MethodArgs): Promise<any> {
     checkOSSPaths(paths, options);
   }
 
-  if (options.docker && options['remote-repo-url']) {
-    throw new Error('`--remote-repo-url` is not supported for container scans');
-  }
   if (options.docker) {
     // order is important here, we want:
     // 1) exclude-app-vulns set -> no app vulns

diff --git a/src/lib/ecosystems/monitor.ts b/src/lib/ecosystems/monitor.ts
@@ -107,6 +107,9 @@ export async function generateMonitorDependenciesRequest(
   scanResult.name =
     options['project-name'] || config.PROJECT_NAME || scanResult.name;
   scanResult.targetReference = options['target-reference'];
+  if (scanResult.target && options['remote-repo-url']) {
+    scanResult.target.remoteUrl = options['remote-repo-url'];
+  }
   // WARNING! This mutates the payload. Policy logic should be in the plugin.
   const policy = await findAndLoadPolicyForScanResult(scanResult, options);
   if (policy !== undefined) {

diff --git a/src/lib/ecosystems/types.ts b/src/lib/ecosystems/types.ts
@@ -18,6 +18,7 @@ export interface GitTarget {
 
 export interface ContainerTarget {
   image: string;
+  remoteUrl?: string;
 }
 
 export interface NamedTarget extends GitTarget {

diff --git a/test/jest/acceptance/snyk-container/container.spec.ts b/test/jest/acceptance/snyk-container/container.spec.ts
@@ -467,7 +467,7 @@ DepGraph end`,
     });
   });
 
-  describe('snyk container monitor supports --target-reference', () => {
+  describe('snyk container monitor supports --target-reference and --remote-repo-url', () => {
     let server: ReturnType<typeof fakeServer>;
     let env: Record<string, string>;
 
@@ -514,6 +514,45 @@ DepGraph end`,
         expect(request.body.scanResult.targetReference).toBe('test-target-ref');
       });
     });
+
+    it('forwards value of remote-repo-url to test-dependencies endpoint', async () => {
+      const { code } = await runSnykCLI(
+        `container test ${TEST_DISTROLESS_STATIC_IMAGE} --remote-repo-url=https://github.com/org/my-repo-test`,
+        {
+          env,
+        },
+      );
+      expect(code).toEqual(0);
+
+      const monitorRequests = server
+        .getRequests()
+        .filter((request) => request.url?.includes('/test-dependencies'));
+
+      expect(monitorRequests.length).toBeGreaterThanOrEqual(1);
+      monitorRequests.forEach((request) => {
+        expect(request.body.scanResult.target.remoteUrl).toBe('https://github.com/org/my-repo-test');
+      });
+    });
+
+    it('forwards value of remote-repo-url to monitor-dependencies endpoint', async () => {
+      const { code } = await runSnykCLI(
+        `container monitor ${TEST_DISTROLESS_STATIC_IMAGE} --remote-repo-url=https://github.com/org/my-repo-test`,
+        {
+          env,
+        },
+      );
+      expect(code).toEqual(0);
+
+      const monitorRequests = server
+        .getRequests()
+        .filter((request) => request.url?.includes('/monitor-dependencies'));
+
+      expect(monitorRequests.length).toBeGreaterThanOrEqual(1);
+      monitorRequests.forEach((request) => {
+        expect(request.body.scanResult.target.remoteUrl).toBe('https://github.com/org/my-repo-test');
+      });
+
+  });
   });
 
   function assertCliExitCode(