chore: Bump version #52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Snyk Security Vulnerability Scan | |
on: | |
workflow_dispatch: | |
pull_request: | |
types: [opened, edited, synchronize] | |
create: | |
tags: | |
- 'v[0-9]+.[0-9]+.[0-9]+' | |
push: | |
tags: | |
- 'v[0-9]+.[0-9]+.[0-9]+' | |
branches: | |
- main | |
jobs: | |
snyk_scan_test: | |
if: ${{ github.event_name == 'pull_request' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@master | |
- uses: snyk/actions/setup@master | |
- name: Check changed Deps files | |
uses: tj-actions/changed-files@v35 | |
id: changed-files | |
with: | |
files: | # This will match all the files with below patterns | |
**/package-lock.json | |
**/requirements.txt | |
**/go.mod | |
- name: List all changed files | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}; do | |
echo "$file was changed" | |
done | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
- name: Snyk scan for Node dependencies - package-lock.json files | |
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package-lock.json') | |
id: scan1 | |
continue-on-error: true | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}: | |
do | |
if [[ "$file" == *"package-lock.json" ]]; then | |
directory=$(dirname "$file") | |
cd directory && npm install | |
snyk test --file=$file -d --fail-on=all | |
fi | |
done | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.8' | |
- name: Snyk scan for Python dependencies - requirements.txt files | |
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'requirements.txt') | |
id: scan2 | |
continue-on-error: true | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}: | |
do | |
if [[ "$file" == *"requirements.txt" ]]; then | |
python3 -m pip install -r $file | |
snyk test --command=python3 --package-manager=pip --file=$file --skip-unresolved -d --fail-on=all | |
fi | |
done | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: '1.18' | |
- name: Snyk scan for Go dependencies - go.mod file | |
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'go.mod') | |
id: scan3 | |
continue-on-error: true | |
run: | | |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}: | |
do | |
if [[ "$file" == *"go.mod" ]]; then | |
GOFLAGS="-e" snyk test --file=$file -p -d --skip-unresolved --fail-on=all | |
fi | |
done | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- name: Check Snyk scan results | |
if: steps.scan1.outcome == 'failure' || steps.scan2.outcome == 'failure' || steps.scan3.outcome == 'failure' || steps.scan4.outcome == 'failure' | |
shell: bash | |
run: | | |
echo "[warning] Please solve the fixable security vulnerabilities found in failed steps! | |
Snyk scan for Node dependencies [package-lock.json] - ${{ steps.scan1.outcome }} | |
Snyk scan for Python dependencies - ${{ steps.scan2.outcome }} | |
Snyk scan for Go dependencies - ${{ steps.scan3.outcome }} | |
" | |
exit 1 | |
snyk_scan_monitor: | |
if: ${{ github.event_name == 'push' }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@master | |
- name: Extract github branch/tag name | |
shell: bash | |
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT | |
id: extract_ref | |
- uses: snyk/actions/setup@master | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
- name: Snyk scan for Node dependencies - package-lock.json files | |
continue-on-error: true | |
run: | | |
for file in $(find . -name "package-lock.json"); do | |
directory=$(dirname "$file") | |
cd directory && npm install | |
file=${file:2} | |
snyk monitor --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=$file --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/$file -d | |
done | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.8' | |
- name: Snyk scan for Python dependencies - requirements.txt files | |
continue-on-error: true | |
run: | | |
for file in $(find . -name "requirements.txt"); do | |
python3 -m pip install -r $file | |
file=${file:2} | |
snyk monitor --command=python3 --package-manager=pip --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=$file --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/$file -d --skip-unresolved | |
done | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: '1.18' | |
- name: Snyk scan for Go dependencies - go.mod | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
GOFLAGS="-e" snyk monitor --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=cli/go.mod --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/cli/go.mod -p -d --skip-unresolved | |