Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk SBOM workflow add #6274

Merged
merged 2 commits into from
Jun 1, 2022
Merged

Snyk SBOM workflow add #6274

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8cef33
Snyk SBOM workflow add
SadFaceSmith May 31, 2022
5db7303
Update snyk.yml
SadFaceSmith May 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/snyk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Snyk SBOM CI

on:
push:
branches: [ main ]
pull_request:
branches: [ main ]

jobs:
snyk_scans:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v3
- name: Run Snyk to check for vulnerabilities - sarif output
continue-on-error: true
uses: snyk/actions/golang@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --all-projects --sarif-file-output=${{ github.event.repository.name }}.sarif --strict-out-of-sync=false

- name: Run Snyk to check for vulnerabilities - json output
continue-on-error: true
uses: snyk/actions/golang@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --json --all-projects --json-file-output=${{ github.event.repository.name }}.json --strict-out-of-sync=false

- name: install snyk-to-html
run: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice this task was run as part of the PR. This is a public CI, can a user do this to dump sensitive information?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MasslessParticle I would not think so, the secrets in the workflow are stored in the GitHub Org. Similar to the other workflows in this repo.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 It looks like Github actions does the right thing.

npm install snyk-to-html snyk2spdx snyk -g
snyk auth ${{ secrets.SNYK_TOKEN }}
snyk-to-html -i ${{ github.event.repository.name }}.json -o ${{ github.event.repository.name }}.html
snyk test --json --strict-out-of-sync=false | snyk2spdx --output ${{ github.event.repository.name }}.spdx

- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ github.event.repository.name }}.sarif

- name: Create results dir
run: mkdir -p snyk_scans && cp -v ${{ github.event.repository.name }}.{html,json,sarif,spdx} snyk_scans/

- name: Use the Upload Artifact GitHub Action
uses: actions/upload-artifact@v2
with:
name: snyk_scans
path: snyk_scans