-
Notifications
You must be signed in to change notification settings - Fork 415
65 lines (51 loc) · 2.14 KB
/
scan-with-snyk-code.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Name of the GitHub Actions workflow
name: Scan PHP code with Snyk Code
on:
# Trigger the workflow on the following events:
# Scan changed files in Pull Requests (diff-aware scanning).
pull_request: {}
# Trigger the workflow on-demand through the GitHub Actions interface.
workflow_dispatch: {}
# Scan mainline branches (main and development) and report all findings.
push:
branches: ["development"]
# Define the job(s) to be executed within the workflow
jobs:
security:
runs-on: ubuntu-latest
# Define permissions for specific actions
permissions:
actions: read
contents: read
security-events: write
name: Run Snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Define an environment variable 'SNYK_TOKEN' to securely store your Snyk token
steps:
- name: Checkout Code
uses: actions/checkout@main
# Action to check out the code from the repository
# This step fetches the codebase from your GitHub repository
- name: Install Snyk & Authenticate
run: |
# Install Snyk globally and authenticate using the provided token
sudo npm install -g snyk
snyk auth ${SNYK_TOKEN}
# The 'SNYK_TOKEN' is securely stored as a GitHub secret
- name: Run Snyk Code
run: |
# Run Snyk Code to scan PHP code
snyk code test -d --org="5647cfeb-45c0-4c43-89a1-3459fe25c145" --sarif > snyk-results.sarif
# Use the provided organization ID and generate SARIF report
continue-on-error: true
# Continue to the next step even if Snyk encounters errors
- name: Upload results from Snyk to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: snyk-results.sarif
# Action to upload the results of the Snyk scan in SARIF format
category: "Scan-PHP-code-with-Snyk"
# Specify a category to distinguish between multiple analyses
# for the same tool and ref. If you don't use `category` in your workflow,
# GitHub will generate a default category name for you