-
Notifications
You must be signed in to change notification settings - Fork 5
136 lines (124 loc) · 3.85 KB
/
sbt-node-snyk-pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Simple Snyk test for SBT + Node
on:
workflow_call:
inputs:
SKIP_NODE:
type: boolean
required: false
default: false
SKIP_SBT:
type: boolean
required: false
default: false
SKIP_PYTHON:
type: boolean
required: false
default: true
SKIP_GO:
type: boolean
required: false
default: true
DEBUG:
type: string
required: false
SEVERITY_THRESHOLD:
type: string
required: false
ORG:
type: string
required: true
EXCLUDE:
type: string
required: false
default: ""
JAVA_VERSION:
type: string
required: false
default: "11"
NODE_VERSION_FILE:
type: string
required: false
default: ".nvmrc"
NODE_VERSION_OVERRIDE:
type: string
required: false
PRUNE_DUPLICATES:
type: boolean
required: false
default: false
PYTHON_VERSION:
type: string
required: false
PIP_REQUIREMENTS_FILES:
type: string
required: false
description: space-separated list of requirements.txt file paths to install
PIPFILES:
type: string
required: false
description: space-separated list of Pipfile file paths to install
GO_VERSION_FILE:
type: string
required: false
default: go.mod
secrets:
SNYK_TOKEN:
required: true
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout branch
uses: actions/checkout@v4
- uses: snyk/actions/[email protected]
- uses: actions/setup-node@v4
if: inputs.NODE_VERSION_OVERRIDE == '' && inputs.SKIP_NODE != true
with:
node-version-file: ${{ inputs.NODE_VERSION_FILE }}
- uses: actions/setup-node@v4
if: inputs.NODE_VERSION_OVERRIDE != '' && inputs.SKIP_NODE != true
with:
node-version: ${{ inputs.NODE_VERSION_OVERRIDE }}
- uses: actions/setup-java@v4
if: inputs.SKIP_SBT != true
with:
java-version: ${{ inputs.JAVA_VERSION }}
distribution: "adopt"
- uses: actions/setup-python@v5
if: inputs.SKIP_PYTHON != true
with:
python-version: ${{ inputs.PYTHON_VERSION }}
- if: inputs.SKIP_PYTHON != true
run: pip install pipenv
- if: inputs.PIP_REQUIREMENTS_FILES != ''
run: |
for file in ${{ inputs.PIP_REQUIREMENTS_FILES }}
do
pip install -r $file
done
- if: inputs.PIPFILES != ''
run: |
for file in ${{ inputs.PIPFILES }}
do
cd $(echo $file | sed "s/Pipfile//")
pipenv install
cd -
done
- uses: actions/setup-go@v5
if: inputs.SKIP_GO != true
with:
go-version-file: ${{ inputs.GO_VERSION_FILE }}
- name: Snyk test
run: |
snyk test \
$DEBUG_OPTION \
$PRUNE_OPTION \
--severity-threshold=${SEVERITY_THRESHOLD:-high} \
--all-projects \
--org="${{ inputs.ORG }}" \
--exclude="${{ inputs.EXCLUDE }}"
env:
SEVERITY_THRESHOLD: ${{ inputs.SEVERITY_THRESHOLD }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
DEBUG_OPTION: ${{ inputs.DEBUG == 'true' && '-d' || '' }}
PRUNE_OPTION: ${{ inputs.PRUNE_DUPLICATES == true && '-p' || '' }}