snyk-scan.yml

name: Snyk Security Vulnerability Scan

on:
  workflow_dispatch:
  pull_request:
  push:
    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+'
    branches:
      - 'main'

jobs:
  snyk_scan_test:
    if: ${{ github.event_name == 'pull_request' }}
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master

      - uses: snyk/actions/setup@master

      - uses: actions/setup-python@v4
        with:
          python-version: '3.8'

      - name: Check changed Deps files
        uses: tj-actions/changed-files@v35
        id: changed-files
        with:
          files: |
            **/requirements*.txt

      - name: Snyk scan for Python dependencies
        if: steps.changed-files.outputs.any_changed == 'true'
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
            python3 -m pip install -r $file
            snyk test --command=python3 --package-manager=pip --file=$file -d --skip-unresolved 
          done
  
  snyk_scan_monitor:
    if: ${{ github.event_name == 'push' }}
    runs-on: ubuntu-latest
    steps:
      - name: Extract github branch/tag name
        shell: bash
        run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
        id: extract_ref
      
      - uses: actions/checkout@master

      - uses: snyk/actions/setup@master

      - uses: actions/setup-python@v4
        with:
          python-version: '3.8'

      - name: Snyk scan for Python dependencies
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |
          for file in requirements*.txt; do
            python3 -m pip install -r $file
            snyk monitor --command=python3 --skip-unresolved --org=py_data_table --remote-repo-url=datatable/${{ steps.extract_ref.outputs.ref }} --package-manager=pip --file=$file --project-name=PY-DATA-TABLE/datatable/${{ steps.extract_ref.outputs.ref }}/$file -d --fail-on=all
          done