radixdlt · marek-xrd · Mar 12, 2025
@@ -201,29 +201,3 @@ jobs:
         with:
           files: |
             babylon-node-${{ needs.setup_version_properties.outputs.VERSION_TAG }}.zip
-
-  snyk-sbom:
-    if: github.event_name == 'release'
-    name: SBOM
-    runs-on: ubuntu-22.04 # Fix GLIBC
-    permissions: write-all
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-sbom'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Generate SBOM
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
-          command: sbom
-      - name: Upload SBOM
-        uses: RDXWorks-actions/action-gh-release@master
-        with:
-          files: |
-            sbom.json
@@ -30,75 +30,6 @@ jobs:
       phylum_project_id: 3f5b2c53-46bd-4f68-b050-5898f929002f
       github_repository: ${{ github.repository }}
       add_report_comment_to_pull_request: true
-  snyk-scan-deps-licences:
-    name: Snyk deps/licences scan
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-scan-deps-licenses'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Run Snyk to check for deps vulnerabilities
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical
-  snyk-scan-code:
-    name: Snyk code scan
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-scan-code'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Run Snyk to check for code vulnerabilities
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        continue-on-error: true
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high
-          command: code test
-  snyk-sbom:
-    name: Snyk SBOM
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-sbom'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
-          command: sbom
   build:
     name: Unit tests and sonarqube
     runs-on: selfhosted-ubuntu-22.04-16-cores

@@ -157,8 +157,7 @@ jobs:
       cache_tag_suffix: "amd64"
       use_gh_remote_cache: true
       provenance: "false"
-      scan_image: true
-      snyk_target_ref: ${{ github.ref_name }}
+      scan_image: false
       build-args: |
         VERSION_BRANCH=${{ needs.setup_version_properties.outputs.VERSION_BRANCH }}
         VERSION_COMMIT=${{ needs.setup_version_properties.outputs.VERSION_COMMIT }}
@@ -200,7 +199,6 @@ jobs:
       use_gh_remote_cache: true
       provenance: "false"
       scan_image: false
-      snyk_target_ref: ${{ github.ref_name }}
       platforms: "linux/arm64"
       cache_tag_suffix: arm64
       build-args: |
@@ -319,54 +317,6 @@ jobs:
     secrets:
       role-to-assume: ${{ secrets.DOCKERHUB_RELEASER_ROLE }}
 
-  snyk_container_monitor:
-    name: Snyk monitor container
-    runs-on: ubuntu-latest
-    needs:
-      - build_push_container_dockerhub
-      - build_push_container_dockerhub_arm
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }}
-          snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          snyk_org_id: ${{ secrets.SNYK_ORG_ID }}
-          image: docker.io/radixdlt/babylon-node:${{ github.event.release.tag_name }}-amd64
-          target_ref: ${{ github.ref_name }}
-
-  snyk_monitor:
-    name: Snyk monitor
-    runs-on: ubuntu-latest
-    needs:
-      - build_push_container_dockerhub
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-monitor'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Enable Snyk online monitoring to check for vulnerabilities
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }}
-          command: monitor
-
 # TEMPORARILY REMOVE EPHEMERAL TESTS
 # => Until we can change them to only run the "node" tests and not the transaction tests
 # ephemeral-deploy-and-test:

@@ -27,8 +27,7 @@ jobs:
       target: "babylon-node-build-layers"
       platforms: "linux/amd64"
       provenance: "false"
-      scan_image: true
-      snyk_target_ref: ${{ github.ref_name }}
+      scan_image: false
       enable_dockerhub: true
       use_gh_remote_cache: true
       cache_tag_suffix: amd64
@@ -52,7 +51,6 @@ jobs:
       platforms: "linux/arm64"
       provenance: "false"
       scan_image: false
-      snyk_target_ref: ${{ github.ref_name }}
       enable_dockerhub: true
       use_gh_remote_cache: true
       cache_tag_suffix: arm64
@@ -91,8 +89,7 @@ jobs:
       target: "babylon-node-build-layers"
       platforms: "linux/amd64"
       provenance: "false"
-      scan_image: true
-      snyk_target_ref: ${{ github.ref_name }}
+      scan_image: false
       enable_dockerhub: true
       use_gh_remote_cache: true
       cache_tag_suffix: amd64
@@ -116,7 +113,6 @@ jobs:
       platforms: "linux/arm64"
       provenance: "false"
       scan_image: false
-      snyk_target_ref: ${{ github.ref_name }}
       enable_dockerhub: true
       use_gh_remote_cache: true
       cache_tag_suffix: arm64
@@ -155,8 +151,7 @@ jobs:
       target: "babylon-node-build-layers"
       platforms: "linux/amd64"
       provenance: "false"
-      scan_image: true
-      snyk_target_ref: ${{ github.ref_name }}
+      scan_image: false
       enable_dockerhub: true
       use_gh_remote_cache: true
       cache_tag_suffix: amd64
@@ -180,7 +175,6 @@ jobs:
       platforms: "linux/arm64"
       provenance: "false"
       scan_image: false
-      snyk_target_ref: ${{ github.ref_name }}
       enable_dockerhub: true
       use_gh_remote_cache: true
       cache_tag_suffix: arm64