Add a new workflow for code scanning (#940)

Added a new workflow for code scanning Signed-off-by: Yunchu Lee <[email protected]> Co-authored-by: Samet Akcay <[email protected]>
openvinotoolkit · Mar 2, 2023 · 566e8cb · 566e8cb
1 parent 78ab50e
commit 566e8cb
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 0 deletions.
diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml
@@ -0,0 +1,34 @@
+name: Code Scanning
+
+on:
+  workflow_dispatch: # run on request (no need for PR)
+  schedule:
+    # every UTC 6PM from Mon to Fri
+    - cron: "0 18 * * 1-5"
+
+jobs:
+  Snyk-scan:
+    runs-on: [self-hosted, linux, x64]
+    permissions:
+      security-events: write
+    steps:
+      - name: CHECKOUT REPOSITORY
+        uses: actions/checkout@v3
+      - name: Install Tox
+        run: python -m pip install tox
+      - name: SNYK SCANNING
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_ENDPOINT: ${{ secrets.SNYK_ENDPOINT }}
+        continue-on-error: true
+        run: tox -e snyk-scan
+      - name: UPLOAD TO SECURITY ADVISORIES
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: .tox/snyk.sarif
+      - name: UPLOAD REPORT
+        uses: actions/upload-artifact@v3
+        with:
+          path: .tox/snyk.html
+        # Use always() to always run this step to publish scan results when there are test failures
+        if: ${{ always() }}
diff --git a/tox.ini b/tox.ini
@@ -5,6 +5,7 @@ envlist =
     pre-commit
     pre_merge
     nightly
+    snyk-scan
 
 [testenv:pre-commit]
 basepython = python3
@@ -59,3 +60,40 @@ commands =
     coverage run --include=anomalib/* -m pytest tests/nightly/ -ra --showlocals
     coverage report -m --fail-under=33
     coverage xml -o {toxworkdir}/coverage.xml
+
+[testenv:snyk-scan]
+basepython = python3
+passenv = ftp_proxy
+    HTTP_PROXY
+    HTTPS_PROXY
+    CUDA_VISIBLE_DEVICES
+    ANOMALIB_DATASET_PATH
+    SNYK_ENDPOINT
+    SNYK_TOKEN
+allowlist_externals =
+    bash
+    curl
+    wget
+    chmod
+    rm
+    *snyk*
+install_command = pip install --no-cache-dir {opts} {packages}
+deps =
+    -r{toxinidir}/requirements/base.txt
+    -r{toxinidir}/requirements/openvino.txt
+    -r{toxinidir}/requirements/extras.txt
+commands =
+    bash -c "pip freeze > snyk-req.txt"
+    curl https://static.snyk.io/cli/latest/snyk-linux -o {toxworkdir}/snyk
+    chmod +x {toxworkdir}/snyk
+    {toxworkdir}/snyk config set endpoint={env:SNYK_ENDPOINT}
+    {toxworkdir}/snyk config set disable-analytics=1
+    ; ignore exit code of the SNYK scanning to generate a report
+    - {toxworkdir}/snyk test --file=snyk-req.txt --package-manager=pip --sarif-file-output={toxworkdir}/snyk.sarif --json-file-output={toxworkdir}/snyk.json --debug
+    - {toxworkdir}/snyk monitor --file=snyk-req.txt --package-manager=pip
+    wget -P .tox/ https://github.com/snyk/snyk-to-html/releases/download/v2.3.6/snyk-to-html-linux
+    chmod +x {toxworkdir}/snyk-to-html-linux
+    {toxworkdir}/snyk-to-html-linux -i {toxworkdir}/snyk.json -o {toxworkdir}/snyk.html -d
+    rm {toxworkdir}/snyk
+    rm {toxworkdir}/snyk-to-html-linux
+    rm snyk-req.txt