Run Snyk Scan #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run Snyk Scan | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| SNYK_API_KEY: | |
| description: 'Snyk API Key needed to run security scan' | |
| required: true | |
| type: string | |
| jobs: | |
| build: | |
| name: Build | |
| runs-on: ubuntu-latest | |
| env: | |
| SNYK_API_KEY: ${{secrets[github.event.inputs.SNYK_API_KEY]}} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # shallow clone doesn't fetch tags, so cdp-release-management plugin doesn't work without this | |
| fetch-depth: 0 | |
| - name: Run Snyk | |
| shell: bash | |
| run: | | |
| cd scan | |
| set -e | |
| npx snyk auth ${{ env.SNYK_API_KEY }} | |
| declare -a directoriesToScan=( | |
| src | |
| pkg | |
| internal | |
| ) | |
| rm -rf ./include/ | |
| for includedDir in ${directoriesToScan[*]} | |
| do | |
| mkdir -p $(dirname ./include/$includedDir) | |
| target=$(realpath ../$includedDir) | |
| ln -s $target ./include/$includedDir | |
| done | |
| cd ./include/ # Snyk can't handle scanning properly unless scanning inside the current directory. | |
| npx snyk code test --json | npx snyk-to-html -o ../report.html | |
| cd ../ | |
| rm -rf ./include | |
| cd .. |