Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a new workflow for code scanning #940

Merged
merged 2 commits into from
Mar 2, 2023
Merged

Add a new workflow for code scanning #940

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1556d15
Added a new workflow for code scanning
yunchu Feb 22, 2023
0d90d34
Merge branch 'main' into yunchule/enable-code-scan-wf
samet-akcay Mar 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/workflows/code_scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Code Scanning

on:
workflow_dispatch: # run on request (no need for PR)
schedule:
# every UTC 6PM from Mon to Fri
- cron: "0 18 * * 1-5"

jobs:
Snyk-scan:
runs-on: [self-hosted, linux, x64]
permissions:
security-events: write
steps:
- name: CHECKOUT REPOSITORY
uses: actions/checkout@v3
- name: Install Tox
run: python -m pip install tox
- name: SNYK SCANNING
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ENDPOINT: ${{ secrets.SNYK_ENDPOINT }}
continue-on-error: true
run: tox -e snyk-scan
- name: UPLOAD TO SECURITY ADVISORIES
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: .tox/snyk.sarif
- name: UPLOAD REPORT
uses: actions/upload-artifact@v3
with:
path: .tox/snyk.html
# Use always() to always run this step to publish scan results when there are test failures
if: ${{ always() }}
38 changes: 38 additions & 0 deletions tox.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ envlist =
pre-commit
pre_merge
nightly
snyk-scan

[testenv:pre-commit]
basepython = python3
Expand Down Expand Up @@ -59,3 +60,40 @@ commands =
coverage run --include=anomalib/* -m pytest tests/nightly/ -ra --showlocals
coverage report -m --fail-under=33
coverage xml -o {toxworkdir}/coverage.xml

[testenv:snyk-scan]
basepython = python3
passenv = ftp_proxy
HTTP_PROXY
HTTPS_PROXY
CUDA_VISIBLE_DEVICES
ANOMALIB_DATASET_PATH
SNYK_ENDPOINT
SNYK_TOKEN
allowlist_externals =
bash
curl
wget
chmod
rm
*snyk*
install_command = pip install --no-cache-dir {opts} {packages}
deps =
-r{toxinidir}/requirements/base.txt
-r{toxinidir}/requirements/openvino.txt
-r{toxinidir}/requirements/extras.txt
commands =
bash -c "pip freeze > snyk-req.txt"
curl https://static.snyk.io/cli/latest/snyk-linux -o {toxworkdir}/snyk
chmod +x {toxworkdir}/snyk
{toxworkdir}/snyk config set endpoint={env:SNYK_ENDPOINT}
{toxworkdir}/snyk config set disable-analytics=1
; ignore exit code of the SNYK scanning to generate a report
- {toxworkdir}/snyk test --file=snyk-req.txt --package-manager=pip --sarif-file-output={toxworkdir}/snyk.sarif --json-file-output={toxworkdir}/snyk.json --debug
- {toxworkdir}/snyk monitor --file=snyk-req.txt --package-manager=pip
wget -P .tox/ https://github.com/snyk/snyk-to-html/releases/download/v2.3.6/snyk-to-html-linux
chmod +x {toxworkdir}/snyk-to-html-linux
{toxworkdir}/snyk-to-html-linux -i {toxworkdir}/snyk.json -o {toxworkdir}/snyk.html -d
rm {toxworkdir}/snyk
rm {toxworkdir}/snyk-to-html-linux
rm snyk-req.txt