# burnettk created an account at https://app.snyk.io/org/kevin-jfx # and added his SNYK_TOKEN secret under the spiff-arena repo. # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. # A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, # Snyk Container and Snyk Infrastructure as Code) # The setup installs the Snyk CLI - for more details on the possible commands # check https://docs.snyk.io/snyk-cli/cli-reference # The results of Snyk Code are then uploaded to GitHub Security Code Scanning # # In order to use the Snyk Action you will need to have a Snyk API token. # More details in https://github.com/snyk/actions#getting-your-snyk-token # or you can signup for free at https://snyk.io/login # # For more examples, including how to limit scans to only high-severity issues # and fail PR checks, see https://github.com/snyk/actions/ name: Snyk Security # on: # push: # branches: ["main" ] # pull_request: # branches: ["main"] # on: # - push # - pull_request on: workflow_dispatch: # allow running on demand schedule: - cron: "0 14 * * 2" # Every Tuesday at 1PM UTC (9AM/10AM eastern) permissions: contents: read jobs: snyk-backend: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest defaults: run: working-directory: spiffworkflow-backend env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} steps: - uses: actions/checkout@v4 - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning uses: snyk/actions/setup@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Install pip and poetry run: | pip install --constraint=../.github/workflows/constraints.txt pip poetry pip install --upgrade setuptools # https://stackoverflow.com/a/77364602/6090676 pip --version poetry --version - name: Upgrade pip in virtual environments shell: python run: | import os import pip with open(os.environ["GITHUB_ENV"], mode="a") as io: print(f"VIRTUALENV_PIP={pip.__version__}", file=io) - name: Poetry Install run: poetry install # Runs Snyk Code (SAST) analysis and uploads result into GitHub. # Use || true to not fail the pipeline - name: Snyk Code test run: snyk code test --sarif > snyk-code.sarif || true # checks library dependencies - name: Snyk test run: snyk test # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. - name: Snyk Open Source monitor run: snyk monitor --all-projects # Build the docker image for testing - name: Build a Docker image run: docker build -t spiffworkflow-backend/snyk-test . # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - name: Snyk Container monitor run: snyk container monitor spiffworkflow-backend/snyk-test --file=Dockerfile # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: sarif_file: spiffworkflow-backend/snyk-code.sarif snyk-frontend: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest defaults: run: working-directory: spiffworkflow-frontend env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} steps: - uses: actions/checkout@v4 - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. # In this case we want to upload the SAST issues to GitHub Code Scanning uses: snyk/actions/setup@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 env: # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Setup Node uses: actions/setup-node@v4 with: node-version: 18.x - run: npm install # Runs Snyk Code (SAST) analysis and uploads result into GitHub. # Use || true to not fail the pipeline - name: Snyk Code test run: snyk code test --sarif > snyk-code.sarif || true # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. - name: Snyk Open Source monitor run: snyk monitor --all-projects # # uncomment to enable debug logs # env: # DEBUG: "*snyk*" # Build the docker image for testing - name: Build a Docker image run: docker build -t spiffworkflow-frontend/snyk-test . # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - name: Snyk Container monitor # pruning repeated subdependencies because it fails otherwise run: snyk container monitor spiffworkflow-frontend/snyk-test --file=Dockerfile --prune-repeated-subdependencies # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: sarif_file: spiffworkflow-frontend/snyk-code.sarif