Merge pull request #3993 from zowe/user/markackert/zlux-tests #2539
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Kubernetes IaC Scan | |
on: | |
push: | |
branches: | |
- v3.x/master | |
- v3.x/staging | |
# pull_request: | |
# types: [opened, synchronize] | |
workflow_dispatch: | |
inputs: | |
RANDOM_DISPATCH_EVENT_ID: | |
description: 'random dispatch event id' | |
required: false | |
type: string | |
jobs: | |
display-dispatch-event-id: | |
if: github.event.inputs.RANDOM_DISPATCH_EVENT_ID != '' | |
runs-on: ubuntu-latest | |
steps: | |
- name: RANDOM_DISPATCH_EVENT_ID is ${{ github.event.inputs.RANDOM_DISPATCH_EVENT_ID }} | |
run: echo "prints random dispatch event id sent from workflow dispatch event" | |
snyk: | |
strategy: | |
matrix: | |
k8s-manifests: | |
# we run 3 kinds as example: CronJob, Deployment, StatefulSet | |
# all other Deployments should be similar | |
- workloads/discovery-statefulset.yaml | |
- workloads/cleanup-static-definitions-cronjob.yaml | |
- workloads/gateway-deployment.yaml | |
# try out other Kinds | |
- samples/api-catalog-service.yaml | |
- samples/gateway-service-ci.yaml | |
- samples/gateway-service-np.yaml | |
- samples/gateway-service-lb.yaml | |
- samples/horizontal-pod-autoscaler/gateway-hpa.yaml | |
- samples/pod-disruption-budget/gateway-pdb.yaml | |
- samples/bare-metal/gateway-ingress.yaml | |
- samples/openshift/gateway-route.yaml | |
- samples/workspace-pvc.yaml | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Run Snyk to check configuration files for security issues | |
continue-on-error: true | |
uses: snyk/actions/iac@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
file: containers/kubernetes/${{ matrix.k8s-manifests }} | |
- name: Upload result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v1 | |
if: hashFiles('snyk.sarif') != '' | |
with: | |
sarif_file: snyk.sarif |