From 99cecc75d47524825093170995c99ca37319e335 Mon Sep 17 00:00:00 2001 From: KristianKjerstad Date: Mon, 16 Jan 2023 17:02:54 +0100 Subject: [PATCH] ci: Add Snyk security scans --- .github/workflows/on-push-feature-branch.yaml | 2 ++ .github/workflows/on-push-main-branch.yaml | 2 ++ .github/workflows/release-production.yaml | 2 ++ .github/workflows/tests.yaml | 34 +++++++++++++++++++ 4 files changed, 40 insertions(+) diff --git a/.github/workflows/on-push-feature-branch.yaml b/.github/workflows/on-push-feature-branch.yaml index 3a2f65d3..8554cf96 100644 --- a/.github/workflows/on-push-feature-branch.yaml +++ b/.github/workflows/on-push-feature-branch.yaml @@ -10,3 +10,5 @@ on: jobs: tests: uses: ./.github/workflows/tests.yaml + secrets: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/on-push-main-branch.yaml b/.github/workflows/on-push-main-branch.yaml index 97f11aea..8063f943 100644 --- a/.github/workflows/on-push-main-branch.yaml +++ b/.github/workflows/on-push-main-branch.yaml @@ -10,6 +10,8 @@ on: jobs: tests: uses: ./.github/workflows/tests.yaml + secrets: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} generate-changelog: needs: tests diff --git a/.github/workflows/release-production.yaml b/.github/workflows/release-production.yaml index 1e4bdd56..c5310d0f 100644 --- a/.github/workflows/release-production.yaml +++ b/.github/workflows/release-production.yaml @@ -10,6 +10,8 @@ on: jobs: tests: uses: ./.github/workflows/tests.yaml + secrets: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} publish-production: needs: tests diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ce2e3bf9..16edc7be 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -8,6 +8,9 @@ on: CR_SECRET: description: "Secret to authenticate if using an other container registry than Github" required: false + SNYK_TOKEN: + description: "Token used to authenticate with Snyk" + required: true env: IMAGE_REGISTRY: ghcr.io @@ -50,6 +53,11 @@ jobs: docker pull $API_IMAGE docker build --target development --tag api-development ./api # TODO: --cache-from $API_IMAGE + - name: Container security scan with Snyk + run: | + apt install docker-scan-plugin + docker scan api-development + - name: BDD Integration tests if: ${{ false }} # disable for now run: docker-compose -f docker-compose.yml -f docker-compose.ci.yml run api behave @@ -68,6 +76,32 @@ jobs: docker pull $WEB_IMAGE docker build --cache-from $WEB_IMAGE --target development --tag web-dev ./web + - name: Container security scan with Snyk + run: | + apt install docker-scan-plugin + docker scan web-dev + + + python-security-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for Python vulnerabilities + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high + + node-security-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for Node vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + test-docs: name: test-docs runs-on: ubuntu-latest