add support of --fail-on Snyk flag

Signed-off-by: Guillaume Lours <guillaume.lours@docker.com>

Author: glours

README.md

@@ -222,6 +222,23 @@ Licenses:          enabled
 Tested 200 dependencies for known issues, found 157 issues.
 ``` 
 
+If your image has unfixed issues, and you need to bypass the error code, you can use the `--fail-on` flag.
+```console
+$ docker scan --fail-on=upgradable docker-scan:e2e
+...
+Organization:      docker-desktop-test
+Package manager:   deb
+Project name:      docker-image|docker-scan
+Docker image:      docker-scan:e2e
+Platform:          linux/amd64
+Licenses:          enabled
+
+Tested 200 dependencies for known issues, found 158 issues.
+
+❯ echo $?
+0
+```
+
 ### Provider Authentication
 
 If you have an existing Snyk account, you can directly use your auth token  

cmd/docker-scan/main.go

@@ -69,6 +69,7 @@ type options struct {
 	showVersion    bool
 	forceOptIn     bool
 	forceOptOut    bool
+	failOn         string
 }
 
 func newScanCmd(ctx context.Context, dockerCli command.Cli) *cobra.Command {
@@ -97,6 +98,7 @@ func newScanCmd(ctx context.Context, dockerCli command.Cli) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.showVersion, "version", false, "Display version of the scan plugin")
 	cmd.Flags().BoolVar(&flags.forceOptIn, "accept-license", false, "Accept using a third party scanning provider")
 	cmd.Flags().BoolVar(&flags.forceOptOut, "reject-license", false, "Reject using a third party scanning provider")
+	cmd.Flags().StringVar(&flags.failOn, "fail-on", "", "Only fail when there are vulnerabilities that can be fixed (all|upgradable|patchable)")
 
 	return cmd
 }
@@ -126,6 +128,12 @@ func configureProvider(ctx context.Context, dockerCli command.Streams, flags opt
 	if flags.dependencyTree {
 		opts = append(opts, provider.WithDependencyTree())
 	}
+	if flags.failOn != "" {
+		if flags.failOn != "all" && flags.failOn != "upgradable" && flags.failOn != "patchable" {
+			return nil, fmt.Errorf("--fail-on takes only 'all', 'upgradable' or 'patchable' values")
+		}
+		opts = append(opts, provider.WithFailOn(flags.failOn))
+	}
 	return provider.NewSnykProvider(opts...)
 }
 

e2e/scan_test.go

@@ -261,6 +261,42 @@ func TestScanWithDependencies(t *testing.T) {
 	assert.Assert(t, strings.Contains(output, "vulnerability found"))
 }
 
+func TestScanWithFailOn(t *testing.T) {
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		t.Skip("Can't run on this ci platform (windows containers or no engine installed)")
+	}
+	_, cleanFunction := createSnykConfFile(t, os.Getenv("E2E_TEST_AUTH_TOKEN"))
+	defer cleanFunction()
+
+	cmd, configDir, cleanup := dockerCli.createTestCmd()
+	defer cleanup()
+
+	createScanConfigFile(t, configDir)
+
+	cmd.Command = dockerCli.Command("scan", "--accept-license", "--fail-on", "upgradable", ImageWithVulnerabilities)
+	output := icmd.RunCmd(cmd).Assert(t, icmd.Expected{ExitCode: 0}).Combined()
+	assert.Assert(t, strings.Contains(output, "alpine:3.10.0")) // beginning of the dependency tree
+	assert.Assert(t, cmp.Regexp("found .* issues", output))
+}
+
+func TestScanWithFailOnBadValue(t *testing.T) {
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		t.Skip("Can't run on this ci platform (windows containers or no engine installed)")
+	}
+	_, cleanFunction := createSnykConfFile(t, os.Getenv("E2E_TEST_AUTH_TOKEN"))
+	defer cleanFunction()
+
+	cmd, configDir, cleanup := dockerCli.createTestCmd()
+	defer cleanup()
+
+	createScanConfigFile(t, configDir)
+
+	cmd.Command = dockerCli.Command("scan", "--accept-license", "--fail-on", "unsupportedValue", ImageWithVulnerabilities)
+	icmd.RunCmd(cmd).Assert(t, icmd.Expected{
+		ExitCode: 1,
+		Err:      "--fail-on takes only 'all', 'upgradable' or 'patchable' values"})
+}
+
 func createSnykConfFile(t *testing.T, token string) (*fs.Dir, func()) {
 	content := fmt.Sprintf(`{"api" : "%s"}`, token)
 	homeDir := fs.NewDir(t, t.Name(),

e2e/testdata/plugin-usage.golden

@@ -8,6 +8,8 @@ Options:
       --dependency-tree   Show dependency tree with scan results
       --exclude-base      Exclude base image from vulnerability scanning
                           (requires --file)
+      --fail-on string    Only fail when there are vulnerabilities that
+                          can be fixed (all|upgradable|patchable)
   -f, --file string       Dockerfile associated with image, provides more
                           detailed results
       --json              Output results in JSON format

internal/provider/snyk.go

@@ -136,6 +136,14 @@ func WithDependencyTree() SnykProviderOps {
 	}
 }
 
+// WithFailOn only fail when there are vulnerabilities that can be fixed
+func WithFailOn(failOn string) SnykProviderOps {
+	return func(provider *snykProvider) error {
+		provider.flags = append(provider.flags, "--fail-on="+failOn)
+		return nil
+	}
+}
+
 func (s *snykProvider) Authenticate(token string) error {
 	if token != "" {
 		if _, err := uuid.Parse(token); err != nil {