ci: Add Snyk security scans

equinor · Jan 23, 2023 · 6994c02 · 6994c02
1 parent c53b003
commit 6994c02
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/.github/workflows/on-push-feature-branch.yaml b/.github/workflows/on-push-feature-branch.yaml
@@ -10,3 +10,5 @@ on:
 jobs:
   tests:
     uses: ./.github/workflows/tests.yaml
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/on-push-main-branch.yaml b/.github/workflows/on-push-main-branch.yaml
@@ -10,6 +10,8 @@ on:
 jobs:
   tests:
     uses: ./.github/workflows/tests.yaml
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   generate-changelog:
     needs: tests

diff --git a/.github/workflows/release-production.yaml b/.github/workflows/release-production.yaml
@@ -10,6 +10,8 @@ on:
 jobs:
   tests:
     uses: ./.github/workflows/tests.yaml
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   publish-production:
     needs: tests

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -8,6 +8,9 @@ on:
       CR_SECRET:
         description: "Secret to authenticate if using an other container registry than Github"
         required: false
+      SNYK_TOKEN:
+        description: "Token used to authenticate with Snyk"
+        required: true
 
 env:
   IMAGE_REGISTRY: ghcr.io
@@ -50,6 +53,11 @@ jobs:
           docker pull $API_IMAGE
           docker build --target development --tag api-development ./api # TODO: --cache-from $API_IMAGE
 
+      - name: Container security scan with Snyk
+        run: |
+          sudo apt-get install docker-scan-plugin
+          docker scan api-development
+
       - name: BDD Integration tests
         if: ${{ false }} # disable for now
         run: docker-compose -f docker-compose.yml -f docker-compose.ci.yml run api behave
@@ -68,6 +76,32 @@ jobs:
           docker pull $WEB_IMAGE
           docker build --cache-from $WEB_IMAGE --target development --tag web-dev ./web
 
+      - name: Container security scan with Snyk
+        run: |
+          sudo apt-get install docker-scan-plugin
+          docker scan web-dev
+          
+
+  python-security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for Python vulnerabilities
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+
+  node-security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for Node vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
   test-docs:
     name: test-docs
     runs-on: ubuntu-latest