-
Notifications
You must be signed in to change notification settings - Fork 2k
151 lines (135 loc) · 5.51 KB
/
snyk-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Snyk Security Vulnerability Scan
on:
workflow_dispatch:
pull_request:
push:
tags:
- 'jenkins-[0-9]+.[0-9]+.[0-9]+.[0-9]+'
branches:
- 'master'
- 'rel-*'
permissions:
contents: read
jobs:
snyk_scan_test:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
with:
fetch-depth: 0 # To fetch all commits history on branch (Refer: https://github.com/tj-actions/changed-files#usage)
- name: Check changed Deps files
uses: tj-actions/changed-files@v35
id: changed-files
with:
files: | # This will match all the files with below patterns
**/build.gradle
**/requirements.txt
**/package.json
- uses: snyk/actions/setup@master
- uses: actions/setup-java@v3
with:
java-version: "8"
distribution: 'adopt'
- name: Snyk scan for Java dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'build.gradle')
id: scan1
continue-on-error: true
run: |
unset CI # By default GH actions will set it to true. Therefore it will affect isCi flag in build.gradle (line #7)
snyk test \
--all-sub-projects \
-d \
--fail-on=all \
--package-manager=gradle \
--print-deps \
--configuration-matching='^\(compile\|runtime\)'
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: "3.7"
- name: Snyk scan for Python 3.7 dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'requirements.txt')
id: scan2
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
sudo apt-get install -y libkrb5-dev
pip install -r h2o-py/requirements.txt
snyk test -d --fail-on=all --file=h2o-py/requirements.txt --package-manager=pip --command=python3 --skip-unresolved
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'package.json')
id: scan3
continue-on-error: true
run: |
snyk test --file=h2o-web/package.json -d --fail-on=all
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Check Snyk scan results
if: steps.scan1.outcome == 'failure' || steps.scan2.outcome == 'failure' || steps.scan3.outcome == 'failure'
shell: bash
run: |
echo "[warning] Please solve the fixable security vulnerabilities found in failed steps!
Snyk scan for Java dependencies - ${{ steps.scan1.outcome }}
Snyk scan for Python 3.7 dependencies - ${{ steps.scan2.outcome }}
Snyk scan for Node dependencies - ${{ steps.scan3.outcome }}"
exit 1
snyk_scan_monitor:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Extract github branch/tag name
shell: bash
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
id: extract_ref
- uses: snyk/actions/setup@master
- uses: actions/setup-java@v3
with:
java-version: "8"
distribution: 'adopt'
- uses: actions/setup-python@v4
with:
python-version: "3.7"
- name: Snyk scan for Python 3.7 dependencies
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
sudo apt-get install -y libkrb5-dev
pip install -r h2o-py/requirements.txt
snyk monitor -d --fail-on=all --org=h2o-3 --file=h2o-py/requirements.txt --package-manager=pip --command=python3 --skip-unresolved --remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/h2o-py/requirements.txt
- uses: actions/setup-node@v3
with:
node-version: '16.x'
- name: Snyk scan for Node dependencies
run: |
snyk monitor --org=h2o-3 --remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} --file=h2o-web/package.json --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/h2o-web/package.json -d
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Snyk scan for Java dependencies
continue-on-error: true
run: |
unset CI # By default GH actions will set it to true. Therefore it will set isCi flag in build.gradle to true (line #7)
export BUILD_HADOOP=true # To include all the build.gradle files to scan
for file in $(find . -name "build.gradle"); do
file=${file:2}
echo ""
echo "##### SCAN $file START #####"
echo ""
snyk monitor \
--org=h2o-3 \
--remote-repo-url=h2o-3/${{ steps.extract_ref.outputs.ref }} \
--file=$file --project-name=H2O-3/h2o-3/${{ steps.extract_ref.outputs.ref }}/$file \
-d \
--skip-unresolved \
--print-deps \
--configuration-matching='^\(compile\|runtime\)'
echo "##### SCAN $file END #####"
done
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}