CORENET-7277: Security ci/prow/security fails for PR openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1 #80462

coderabbitai · 2026-06-12T09:54:17Z

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Does Snyk code test command support --exclude flag for excluding directories?

💡 Result:

The snyk code test command does not support the --exclude flag for excluding directories [1][2][3]. While the --exclude flag is available for other commands like snyk test (used for Open Source scanning) to ignore directories and files [4][5], it is not a recognized option for Snyk Code (SAST) scanning [1][2]. To exclude directories or files from a Snyk Code scan, you must use one of the following methods: 1. Use the snyk ignore --file-path=<directory_or_file> command: Running this command will automatically create or update a.snyk file in your repository to exclude the specified path from future snyk code test scans [6][3]. 2. Manually configure a.snyk file: You can manually create or edit a.snyk file in your repository to include the directories or files you wish to exclude from the scanning process [2][3].

Citations:

1: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/code-test

2: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/scan-source-code-with-snyk-code-using-the-cli

3: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/exclude-directories-and-files-from-snyk-code-cli-tests

4: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/test

5: https://github.com/snyk/user-docs/blob/main/docs/developer-tools/snyk-cli/commands/test.md

6: https://docs.snyk.io/developer-tools/snyk-cli/snyk-cli/commands/ignore

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml" echo "=== YAML context around target lines ===" # Print a safe window around 456-457 (approx); clamp by grep to show exact env keys too nl -ba "$FILE" | sed -n '430,490p' | sed -n '/SNYK_CODE_ADDITIONAL_ARGS|SNYK_PRE_EXECUTION_HOOK_CMD/ p' -e '1,200p' || true # Better: show full window nl -ba "$FILE" | sed -n '440,475p' echo "=== Full lines containing env vars (with some surrounding context) ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS|SNYK_PRE_EXECUTION_HOOK_CMD" "$FILE" -n # Print 20 lines before/after each match rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$FILE" -n -C 15 rg -n "SNYK_PRE_EXECUTION_HOOK_CMD" "$FILE" -n -C 15 echo "=== Search where these env vars are consumed in the repo ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS" . rg -n "SNYK_PRE_EXECUTION_HOOK_CMD" . rg -n "severity-threshold=high" .

Repository: openshift/release

Length of output: 306

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml" echo "=== YAML context around target lines (440-475) ===" cat -n "$FILE" | sed -n '440,475p' echo "=== Matching lines only ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS|SNYK_PRE_EXECUTION_HOOK_CMD" "$FILE" echo "=== Where these env vars are consumed in the repo (limited to yaml/sh) ===" rg -n --glob '*.{yaml,yml,sh}' "SNYK_CODE_ADDITIONAL_ARGS" . rg -n --glob '*.{yaml,yml,sh}' "SNYK_PRE_EXECUTION_HOOK_CMD" . echo "=== Any explicit snyk code test invocation with severity threshold ===" rg -n --glob '*.{yaml,yml,sh}' "snyk( |-)code|snyk code|severity-threshold" .

Repository: openshift/release

Length of output: 50374

🏁 Script executed:

#!/bin/bash set -euo pipefail # Find where SNYK_PRE_EXECUTION_HOOK_CMD is consumed echo "=== Where SNYK_PRE_EXECUTION_HOOK_CMD is consumed ===" rg -n --glob '*.{yaml,yml,sh}' "SNYK_PRE_EXECUTION_HOOK_CMD" . # Inspect the ci-tools logic around SNYK_CODE_ADDITIONAL_ARGS parsing TOOLS_FILE="ci-operator/config/openshift/ci-tools/openshift-ci-tools-main.yaml" echo "=== Inspect SNYK_CODE_ADDITIONAL_ARGS parsing in $TOOLS_FILE ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" echo "=== Show surrounding logic (around first match) ===" # show a small window around the first match for readability FIRST_LINE=$(rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" | head -n1 | cut -d: -f1) START=$((FIRST_LINE-80)) END=$((FIRST_LINE+120)) sed -n "${START},${END}p" "$TOOLS_FILE" | nl -ba | head -n 240 echo "=== Also search inside ci-tools for severity-threshold usage ===" rg -n "severity-threshold" "$TOOLS_FILE"

Repository: openshift/release

Length of output: 2580

🏁 Script executed:

#!/bin/bash set -euo pipefail # 1) Inspect the step-registry snyk scan script STEP_SCRIPT="ci-operator/step-registry/openshift/ci-security/snyk/scan/openshift-ci-security-snyk-scan-commands.sh" echo "=== Inspect $STEP_SCRIPT (snyk invocation + env var usage) ===" rg -n "snyk( |-)code test|SNYK_CODE_ADDITIONAL_ARGS|severity-threshold|SNYK_PRE_EXECUTION_HOOK_CMD|eval \"\\$SNYK_PRE_EXECUTION_HOOK_CMD\"|cd " "$STEP_SCRIPT" echo "=== Show around eval of pre-exec hook ===" rg -n "eval \"\\$SNYK_PRE_EXECUTION_HOOK_CMD\"|SNYK_PRE_EXECUTION_HOOK_CMD" "$STEP_SCRIPT" -n -C 8 echo "=== Show around SNYK_CODE_ADDITIONAL_ARGS usage ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$STEP_SCRIPT" -n -C 12 # 2) Inspect how ci-tools main uses SNYK_CODE_ADDITIONAL_ARGS and constructs params TOOLS_FILE="ci-operator/config/openshift/ci-tools/openshift-ci-tools-main.yaml" echo "=== Inspect $TOOLS_FILE around parsing SNYK_CODE_ADDITIONAL_ARGS ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" -n | head -n 20 FIRST_LINE=$(rg -n "if \\[ \"\\$SNYK_CODE_ADDITIONAL_ARGS\" \\]; then" "$TOOLS_FILE" -n | head -n1 | cut -d: -f1 || true) if [ -n "${FIRST_LINE}" ]; then START=$((FIRST_LINE-60)) END=$((FIRST_LINE+160)) sed -n "${START},${END}p" "$TOOLS_FILE" fi echo "=== Inspect snyk code test command construction in ci-tools ===" rg -n "snyk( |-)code test" "$TOOLS_FILE" -n -C 5 rg -n "severity-threshold" "$TOOLS_FILE" -n -C 5

Repository: openshift/release

Length of output: 296

🏁 Script executed:

#!/bin/bash set -euo pipefail STEP_SCRIPT="ci-operator/step-registry/openshift/ci-security/snyk/scan/openshift-ci-security-snyk-scan-commands.sh" TOOLS_FILE="ci-operator/config/openshift/ci-tools/openshift-ci-tools-main.yaml" echo "=== STEP SCRIPT: $STEP_SCRIPT (line count) ===" wc -l "$STEP_SCRIPT" echo "=== STEP SCRIPT: matches ===" rg -n "SNYK_PRE_EXECUTION_HOOK_CMD|SNYK_CODE_ADDITIONAL_ARGS|snyk( |-)code test|severity-threshold" "$STEP_SCRIPT" || true echo "=== STEP SCRIPT: show windows around SNYK_PRE_EXECUTION_HOOK_CMD ===" for line in $(rg -n "SNYK_PRE_EXECUTION_HOOK_CMD" "$STEP_SCRIPT" | head -n 5 | cut -d: -f1); do start=$((line-40)); [ $start -lt 1 ] && start=1 end=$((line+60)) echo "--- $STEP_SCRIPT:$line ---" sed -n "${start},${end}p" "$STEP_SCRIPT" done echo "=== STEP SCRIPT: show windows around SNYK_CODE_ADDITIONAL_ARGS ===" for line in $(rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$STEP_SCRIPT" | head -n 5 | cut -d: -f1); do start=$((line-40)); [ $start -lt 1 ] && start=1 end=$((line+80)) echo "--- $STEP_SCRIPT:$line ---" sed -n "${start},${end}p" "$STEP_SCRIPT" done echo "=== STEP SCRIPT: show windows around snyk code test ===" for line in $(rg -n "snyk( |-)code test" "$STEP_SCRIPT" | head -n 5 | cut -d: -f1); do start=$((line-40)); [ $start -lt 1 ] && start=1 end=$((line+80)) echo "--- $STEP_SCRIPT:$line ---" sed -n "${start},${end}p" "$STEP_SCRIPT" done echo "=== TOOLS FILE: $TOOLS_FILE (line count) ===" wc -l "$TOOLS_FILE" echo "=== TOOLS FILE: matches for snyk code test/severity threshold/SNYK_CODE_ADDITIONAL_ARGS ===" rg -n "SNYK_CODE_ADDITIONAL_ARGS|snyk( |-)code test|severity-threshold" "$TOOLS_FILE" || true echo "=== TOOLS FILE: show around SNYK_CODE_ADDITIONAL_ARGS parsing ===" for line in $(rg -n "SNYK_CODE_ADDITIONAL_ARGS" "$TOOLS_FILE" | head -n 10 | cut -d: -f1); do start=$((line-40)); [ $start -lt 1 ] && start=1 end=$((line+120)) echo "--- $TOOLS_FILE:$line ---" sed -n "${start},${end}p" "$TOOLS_FILE" | head -n 260 done

Repository: openshift/release

Length of output: 27192

Snyk severity-threshold change suppresses non-vendored findings (vendor removal doesn’t limit it)

SNYK_PRE_EXECUTION_HOOK_CMD: rm -rf vendor runs before the code scan, but SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high is injected into the same snyk code test invocation, so medium/low findings in the remaining (non-vendor) code are also suppressed.

snyk code test doesn’t support --exclude; if the goal is to ignore vendored paths, use snyk ignore / a .snyk policy (and wire it in, e.g. via --policy-path=.snyk) instead of raising the global severity threshold.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci-operator/config/openshift/cluster-network-operator/openshift-cluster-network-operator-master.yaml` around lines 456 - 457, The current CI config sets SNYK_PRE_EXECUTION_HOOK_CMD to remove vendor and also injects SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high which suppresses medium/low findings globally; instead remove the severity-threshold arg and wire a Snyk policy to ignore vendored paths (create or update a .snyk policy and pass it into the Snyk invocation via --policy-path=.snyk or use snyk ignore entries), leaving SNYK_PRE_EXECUTION_HOOK_CMD either removing vendor or better yet keep vendor and rely on the .snyk policy; update/replace SNYK_CODE_ADDITIONAL_ARGS accordingly to avoid masking non-vendored findings.

-Original file line number
+Diff line change
@@ Expand Up / @@ -453,6 +453,8 @@ tests: @@
         env:
           ALL_PROJECTS: "true"
           PROJECT_NAME: cluster-network-operator
+          SNYK_CODE_ADDITIONAL_ARGS: --severity-threshold=high
+          SNYK_PRE_EXECUTION_HOOK_CMD: rm -rf vendor
         workflow: openshift-ci-security
     - as: hypershift-e2e-aks
       skip_if_only_changed: ^(docs|\.vscode)/|\.md$|^(\.gitignore|\.gitattributes|\.golangci\.yaml|OWNERS|OWNERS_ALIASES|LICENSE|sample-.*\.yaml)$
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CORENET-7277: Security ci/prow/security fails for PR openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1 #80462

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot Jun 12, 2026

Uh oh!

CORENET-7277: Security ci/prow/security fails for PR openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1 #80462

Are you sure you want to change the base?

CORENET-7277: Security ci/prow/security fails for PR openshift/cluster-network-operator#3017 which is to bump k8s to 1.36.1 #80462

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!