How do I configure my .snyk file to fail the build automatically if the setting to ignore a particular vulnerability has passed its expiry?

Question

I have a .snyk policy file which is supposed to ignore vulnerabilities until a given date:

version: v1.25.0
ignore:
  <REDACTED>:
      - '*':
          reason: >-
            This vulnerability should have a fix soon:
            expires: 2023-11-01T00:00:00.000Z
            created: 2023-10-11T00:00:00.000Z
  <REDACTED>:
      - '*':
          reason: >-
            This vulnerability should have a fix soon:
            expires: 2023-11-13T00:00:00.000Z
            created: 2023-10-23T00:00:00.000Z
  <REDACTED>:
      - '*':
          reason: >-
            This vulnerability will be addressed as a part of <TICKET>:
            expires: 2023-12-23T00:00:00.000Z
            created: 2023-06-23T00:00:00.000Z
patch: {}

My expectation is that these vulnerabilities should now fail the build, but that hasn't been happening. The Snyk documentation is not very clear, anywhere, about what will actually happen when the expiry is passed.

Presumably there is something wrong with my config. How do I set Snyk up to automatically fail the build when the expiry is reached?

Snyk is set up as a task in our Azure pipeline like so:

  - task: SnykSecurityScan@0
    displayName: "Snyk Security App Scan"
    inputs:
      serviceConnectionEndpoint: 'Snyk'
      testType: 'app'
      monitorOnBuild: true
      failOnIssues: true
      severityThreshold: <SEVERITY>
      additionalArguments: '--all-projects'
    env:
      AZURE_ARTIFACTS_ENV_ACCESS_TOKEN: $(System.AccessToken)

Answer 1

Figured it out - indentation for expires and created was one level too far.

Answer 2

It would help to understand how you set up Snyk in the pipeline.

Once the validity of an ignore expires, the vulnerability is now "open" (just as a regular, non-ignored vuln) so will show in scans including in the pipeline.

I don't know your pipeline set-up so will use CLI as an example. If you run

snyk test --severity-threshold=high

the operation will give an exit code 1 (fail) in case some vulnerabilities are HIGH or CRITICAL in the scan. If none are high or critical is will pass.

It's hard to assess what is going wrong without knowing the pipeline set-up but here you can find CICD set-up examples, notice that on some of them there is a command saying

    continueOnError: true

if that is set to true then the pipeline will continue regardless of the vulnerabilities it finds.

Hope this helps