.github/workflows/security.yml

---
name: Security Scan
on:  # yamllint disable-line rule:truthy
  workflow_call:
    secrets:
      SNYK_TOKEN:
        required: true
      SNYK_ORG:
        required: true
  workflow_dispatch: {}
  schedule:
    - cron: '0 0 * * 0'

jobs:
  snyk:
    name: Snyk and Publish
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - name: Checkout Source
        uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/golang@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif
  snyk-code:
    name: Snyk Code and Publish
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - name: Checkout Source
        uses: actions/checkout@master
      - name: Run Snyk SAST to check for vulnerabilities
        uses: snyk/actions/golang@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif
          command: code test
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif