PRODSEC-1257 Whitesource Transition to Snyk (#308)

sfc-gh-jfan · sfc-gh-mkeller · web-flow · commit 725e926e91e9 · 2022-07-01T13:12:07.000-07:00
* PRODSEC-1257 Whitesource Transition to Snyk

* add CLA

* address feedback

* minor update

* formatting

* CLA bot

* Update .github/workflows/snyk-pr.yml

Co-authored-by: Mark Keller &lt;63477823+sfc-gh-mkeller@users.noreply.github.com&gt;
diff --git a/.github/workflows/cla_bot.yml b/.github/workflows/cla_bot.yml
@@ -19,6 +19,6 @@ jobs:
           path-to-signatures: 'signatures/version1.json'
           path-to-document: 'https://github.com/Snowflake-Labs/CLA/blob/main/README.md'
           branch: 'main'
-          allowlist: 'dependabot[bot],github-actions'
+          allowlist: 'dependabot[bot],github-actions, sfc-gh-snyk-sca-sa'
           remote-organization-name: 'snowflakedb'
           remote-repository-name: 'cla-db'
diff --git a/.github/workflows/snyk-issue.yml b/.github/workflows/snyk-issue.yml
@@ -0,0 +1,29 @@
+name: Snyk Issue 
+
+on:
+  schedule:
+    - cron: '* */12 * * *'
+
+concurrency: snyk-issue
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Action
+      uses: actions/checkout@v3
+      with:
+        repository: snowflakedb/whitesource-actions
+        token: ${{ secrets.whitesource_action_token }}
+        path: whitesource-actions
+    - name: Set Env
+      run: echo "repo=$(basename $github_repository)" >> $github_env
+    - name: Jira Creation
+      uses: ./whitesource-actions/snyk-issue
+      with:
+        snyk_org: ${{ secrets.snyk_org_id_public_repo }}
+        snyk_token:  ${{ secrets.snyk_github_integration_token_public_repo }}
+        jira_token: ${{ secrets.jira_token_public_repo }}
+      env:
+        gh_token: ${{ secrets.github_token }}
+
diff --git a/.github/workflows/snyk-pr.yml b/.github/workflows/snyk-pr.yml
@@ -0,0 +1,31 @@
+name: Snyk PR
+on:
+  pull_request:
+    branches:
+      - main
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'sfc-gh-snyk-sca-sa' }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+        fetch-depth: 0
+
+    - name: Checkout Action
+      uses: actions/checkout@v3
+      with:
+        repository: snowflakedb/whitesource-actions
+        token: ${{ secrets.whitesource_action_token }}
+        path: whitesource-actions
+
+    - name: Snyk Pull Request Scan Check
+      uses: ./whitesource-actions/snyk-pr
+      env:
+        pr_title: ${{ github.event.pull_request.title }}
+      with:
+        jira_token: ${{ secrets.jira_token_public_repo }}
+        gh_token: ${{ secrets.github_token }}
+        amend: false
diff --git a/ci/wss.sh b/ci/wss.sh
