Skip to content

chore: Bump version #52

chore: Bump version

chore: Bump version #52

Workflow file for this run

name: Snyk Security Vulnerability Scan
on:
workflow_dispatch:
pull_request:
types: [opened, edited, synchronize]
create:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
branches:
- main
jobs:
snyk_scan_test:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: snyk/actions/setup@master
- name: Check changed Deps files
uses: tj-actions/changed-files@v35
id: changed-files
with:
files: | # This will match all the files with below patterns
**/package-lock.json
**/requirements.txt
**/go.mod
- name: List all changed files
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}; do
echo "$file was changed"
done
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies - package-lock.json files
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package-lock.json')
id: scan1
continue-on-error: true
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}:
do
if [[ "$file" == *"package-lock.json" ]]; then
directory=$(dirname "$file")
cd directory && npm install
snyk test --file=$file -d --fail-on=all
fi
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: '3.8'
- name: Snyk scan for Python dependencies - requirements.txt files
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'requirements.txt')
id: scan2
continue-on-error: true
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}:
do
if [[ "$file" == *"requirements.txt" ]]; then
python3 -m pip install -r $file
snyk test --command=python3 --package-manager=pip --file=$file --skip-unresolved -d --fail-on=all
fi
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-go@v3
with:
go-version: '1.18'
- name: Snyk scan for Go dependencies - go.mod file
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'go.mod')
id: scan3
continue-on-error: true
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}:
do
if [[ "$file" == *"go.mod" ]]; then
GOFLAGS="-e" snyk test --file=$file -p -d --skip-unresolved --fail-on=all
fi
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Check Snyk scan results
if: steps.scan1.outcome == 'failure' || steps.scan2.outcome == 'failure' || steps.scan3.outcome == 'failure' || steps.scan4.outcome == 'failure'
shell: bash
run: |
echo "[warning] Please solve the fixable security vulnerabilities found in failed steps!
Snyk scan for Node dependencies [package-lock.json] - ${{ steps.scan1.outcome }}
Snyk scan for Python dependencies - ${{ steps.scan2.outcome }}
Snyk scan for Go dependencies - ${{ steps.scan3.outcome }}
"
exit 1
snyk_scan_monitor:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Extract github branch/tag name
shell: bash
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
id: extract_ref
- uses: snyk/actions/setup@master
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies - package-lock.json files
continue-on-error: true
run: |
for file in $(find . -name "package-lock.json"); do
directory=$(dirname "$file")
cd directory && npm install
file=${file:2}
snyk monitor --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=$file --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/$file -d
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: '3.8'
- name: Snyk scan for Python dependencies - requirements.txt files
continue-on-error: true
run: |
for file in $(find . -name "requirements.txt"); do
python3 -m pip install -r $file
file=${file:2}
snyk monitor --command=python3 --package-manager=pip --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=$file --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/$file -d --skip-unresolved
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-go@v3
with:
go-version: '1.18'
- name: Snyk scan for Go dependencies - go.mod
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
GOFLAGS="-e" snyk monitor --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=cli/go.mod --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/cli/go.mod -p -d --skip-unresolved