File tree Expand file tree Collapse file tree 3 files changed +73
-24
lines changed
Expand file tree Collapse file tree 3 files changed +73
-24
lines changed Original file line number Diff line number Diff line change 1+ name : Snyk scheduled Docker base image scan
2+
3+ on :
4+ schedule :
5+ - cron : ' 0 3 * * 1'
6+ workflow_dispatch :
7+
8+ env :
9+ DOCKER_IMAGE : radarbase/radar-redcapintegration
10+
11+ jobs :
12+ security :
13+ runs-on : ubuntu-latest
14+
15+ steps :
16+ - uses : actions/checkout@v3
17+
18+ - name : Run Snyk to check for vulnerabilities
19+ continue-on-error : true # To make sure that SARIF upload gets called
20+ uses : snyk/actions/docker@master
21+ env :
22+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
23+ with :
24+ image : ${{ env.DOCKER_IMAGE }}
25+ # 'exclude-app-vulns' only tests vulnerabilities in the base image.
26+ # Code base vulnerabilities are tested the scheduled-snyk.yaml action.
27+ args : >-
28+ --file=Dockerfile
29+ --fail-on=upgradable
30+ --severity-threshold=high
31+ --policy-path=.snyk
32+ --exclude-app-vulns
33+ --org=radar-base
34+ --sarif-file-output=snyk.sarif
35+
36+ # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
37+ - name : Upload result to GitHub Code Scanning
38+ uses : github/codeql-action/upload-sarif@v3
39+ with :
40+ sarif_file : snyk.sarif
Original file line number Diff line number Diff line change 1- name : Snyk scheduled test
1+ name : Snyk scheduled code base scan
2+
23on :
34 schedule :
45 - cron : ' 0 2 * * 1'
5- push :
6- branches :
7- - master
6+ workflow_dispatch :
87
98jobs :
109 security :
1110 runs-on : ubuntu-latest
12- env :
13- REPORT_FILE : test.json
11+
1412 steps :
1513 - uses : actions/checkout@v3
16-
17- - name : Use Node.js 16
18- uses : actions/setup-node@v3
14+ - uses : actions/setup-node@v3
1915 with :
2016 node-version : 16
17+ cache : npm
2118
2219 - name : Run Snyk to check for vulnerabilities
2320 uses : snyk/actions/gradle-jdk17@master
21+ continue-on-error : true # To make sure that SARIF upload gets called
2422 env :
2523 SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
2624 with :
27- args : --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
25+ args : >-
26+ --all-projects
27+ --configuration-matching='^runtimeClasspath$'
28+ --fail-on=upgradable
29+ --severity-threshold=high
30+ --policy-path=.snykS
31+ --org=radar-base
32+ --sarif-file-output=snyk.sarif
2833
29- - name : Report new vulnerabilities
30- uses : thehyve/report-vulnerability@master
31- if : success() || failure()
34+ # Detected vulnerabilities will appear on Github in Security->Codescanning_alerts tab
35+ - name : Upload result to GitHub Code Scanning
36+ uses : github/codeql-action/upload-sarif@v3
3237 with :
33- report-file : ${{ env.REPORT_FILE }}
34- env :
35- TOKEN : ${{ secrets.GITHUB_TOKEN }}
38+ sarif_file : snyk.sarif
Original file line number Diff line number Diff line change 1- name : Snyk test
1+ name : Snyk test on PR commits
2+
23on :
34 pull_request :
4- branches : [ master, dev ]
5+ branches :
6+ - main
7+ - dev
8+ - release-*
9+
510jobs :
611 security :
712 runs-on : ubuntu-latest
813 steps :
914 - uses : actions/checkout@v3
1015
11- - name : Use Node.js 16
12- uses : actions/setup-node@v3
13- with :
14- node-version : 16
15-
1616 - name : Run Snyk to check for vulnerabilities
1717 uses : snyk/actions/gradle-jdk17@master
1818 env :
1919 SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
2020 with :
21- args : --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high --policy-path=$PWD/.snyk
21+ args : >-
22+ --all-projects
23+ --configuration-matching="^runtimeClasspath$"
24+ --severity-threshold=high
25+ --fail-on=upgradable
26+ --org=radar-base
27+ --policy-path=.snyk
You can’t perform that action at this time.
0 commit comments