-
Notifications
You must be signed in to change notification settings - Fork 13
164 lines (140 loc) · 5.67 KB
/
snyk-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Snyk Security Vulnerability Scan
on:
workflow_dispatch:
pull_request:
types: [opened, edited, synchronize]
create:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
push:
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
branches:
- main
jobs:
snyk_scan_test:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: snyk/actions/setup@master
- name: Check changed Deps files
uses: tj-actions/changed-files@v35
id: changed-files
with:
files: | # This will match all the files with below patterns
**/package-lock.json
**/requirements.txt
**/go.mod
- name: List all changed files
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}; do
echo "$file was changed"
done
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies - package-lock.json files
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package-lock.json')
id: scan1
continue-on-error: true
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}:
do
if [[ "$file" == *"package-lock.json" ]]; then
directory=$(dirname "$file")
cd directory && npm install
snyk test --file=$file -d --fail-on=all
fi
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: '3.8'
- name: Snyk scan for Python dependencies - requirements.txt files
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'requirements.txt')
id: scan2
continue-on-error: true
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}:
do
if [[ "$file" == *"requirements.txt" ]]; then
python3 -m pip install -r $file
snyk test --command=python3 --package-manager=pip --file=$file --skip-unresolved -d --fail-on=all
fi
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-go@v3
with:
go-version: '1.18'
- name: Snyk scan for Go dependencies - go.mod file
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'go.mod')
id: scan3
continue-on-error: true
run: |
for file in ${{ steps.changed-files.outputs.all_changed_and_modified_files }}:
do
if [[ "$file" == *"go.mod" ]]; then
GOFLAGS="-e" snyk test --file=$file -p -d --skip-unresolved --fail-on=all
fi
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Check Snyk scan results
if: steps.scan1.outcome == 'failure' || steps.scan2.outcome == 'failure' || steps.scan3.outcome == 'failure' || steps.scan4.outcome == 'failure'
shell: bash
run: |
echo "[warning] Please solve the fixable security vulnerabilities found in failed steps!
Snyk scan for Node dependencies [package-lock.json] - ${{ steps.scan1.outcome }}
Snyk scan for Python dependencies - ${{ steps.scan2.outcome }}
Snyk scan for Go dependencies - ${{ steps.scan3.outcome }}
"
exit 1
snyk_scan_monitor:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Extract github branch/tag name
shell: bash
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
id: extract_ref
- uses: snyk/actions/setup@master
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies - package-lock.json files
continue-on-error: true
run: |
for file in $(find . -name "package-lock.json"); do
directory=$(dirname "$file")
cd directory && npm install
file=${file:2}
snyk monitor --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=$file --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/$file -d
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: '3.8'
- name: Snyk scan for Python dependencies - requirements.txt files
continue-on-error: true
run: |
for file in $(find . -name "requirements.txt"); do
python3 -m pip install -r $file
file=${file:2}
snyk monitor --command=python3 --package-manager=pip --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=$file --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/$file -d --skip-unresolved
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-go@v3
with:
go-version: '1.18'
- name: Snyk scan for Go dependencies - go.mod
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
GOFLAGS="-e" snyk monitor --org=nitro-cf8 --remote-repo-url=nitro/${{ steps.extract_ref.outputs.ref }} --file=cli/go.mod --project-name=NITRO/nitro/${{ steps.extract_ref.outputs.ref }}/cli/go.mod -p -d --skip-unresolved