Skip to content

Commit

Permalink
ci: Add Snyk security scans
Browse files Browse the repository at this point in the history
  • Loading branch information
KristianKjerstad committed Jan 20, 2023
1 parent c53b003 commit 99cecc7
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/on-push-feature-branch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,5 @@ on:
jobs:
tests:
uses: ./.github/workflows/tests.yaml
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
2 changes: 2 additions & 0 deletions .github/workflows/on-push-main-branch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ on:
jobs:
tests:
uses: ./.github/workflows/tests.yaml
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

generate-changelog:
needs: tests
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release-production.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ on:
jobs:
tests:
uses: ./.github/workflows/tests.yaml
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

publish-production:
needs: tests
Expand Down
34 changes: 34 additions & 0 deletions .github/workflows/tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
CR_SECRET:
description: "Secret to authenticate if using an other container registry than Github"
required: false
SNYK_TOKEN:
description: "Token used to authenticate with Snyk"
required: true

env:
IMAGE_REGISTRY: ghcr.io
Expand Down Expand Up @@ -50,6 +53,11 @@ jobs:
docker pull $API_IMAGE
docker build --target development --tag api-development ./api # TODO: --cache-from $API_IMAGE
- name: Container security scan with Snyk
run: |
apt install docker-scan-plugin
docker scan api-development
- name: BDD Integration tests
if: ${{ false }} # disable for now
run: docker-compose -f docker-compose.yml -f docker-compose.ci.yml run api behave
Expand All @@ -68,6 +76,32 @@ jobs:
docker pull $WEB_IMAGE
docker build --cache-from $WEB_IMAGE --target development --tag web-dev ./web
- name: Container security scan with Snyk
run: |
apt install docker-scan-plugin
docker scan web-dev
python-security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for Python vulnerabilities
uses: snyk/actions/python@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high

node-security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for Node vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

test-docs:
name: test-docs
runs-on: ubuntu-latest
Expand Down

0 comments on commit 99cecc7

Please sign in to comment.