From 0002d4ebdd45b2a63e859d981a810d2f86bbbabb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20Zaj=C4=85c?= Date: Thu, 18 Apr 2024 17:19:33 +0200 Subject: [PATCH] Introduce Snyk vulnerability scanner (#114) --- .github/workflows/snyk.yml | 57 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 00000000..1fa3635f --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,57 @@ +name: '🐕‍🦺 Snyk: Vulnerability Analysis' + +on: + pull_request: + paths: + - 'src/**' + - '!src/qodana.yml' + - '.github/workflows/snyk.yml' + types: [opened, synchronize, reopened] + push: + branches: + - 'master' + paths: + - 'src/**' + - '!src/qodana.yml' + - '.github/workflows/snyk.yml' + schedule: + - cron: '14 6 * * 0' # Random time + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + snyk: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: 📥 checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: 🏗️ restore dependencies + run: dotnet restore ./src/Objectivity.AutoFixture.XUnit2.AutoMock.sln + - name: 🔬 snyk scan + uses: snyk/actions/dotnet@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif --file=src/Objectivity.AutoFixture.XUnit2.AutoMock.sln + - name: 📈 snyk monitor + uses: snyk/actions/dotnet@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --file=src/Objectivity.AutoFixture.XUnit2.AutoMock.sln + command: monitor + - name: 📊 upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif + if: ${{ always() }} \ No newline at end of file