From 1c72a77845c52853609ee8effb3d62c89b9c7de9 Mon Sep 17 00:00:00 2001 From: Bonface Shisakha Asunga Date: Mon, 14 Nov 2022 13:06:38 +0300 Subject: [PATCH 1/4] Add Snyk CI scan for security scan on the repo Signed-off-by: Bonface Shisakha Asunga --- .github/workflows/snyk-security-scan.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/snyk-security-scan.yml diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml new file mode 100644 index 000000000..75ae1986f --- /dev/null +++ b/.github/workflows/snyk-security-scan.yml @@ -0,0 +1,22 @@ +name: Snyk Security Scan GitHub Actions +on: + push: + - master + - develop + pull-request: +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/gradle@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif --severity-threshold=high + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif \ No newline at end of file From 1fb9cfb3de28428e19ee416c23a7a33b79fb592b Mon Sep 17 00:00:00 2001 From: Bonface Shisakha Asunga Date: Mon, 14 Nov 2022 15:04:34 +0300 Subject: [PATCH 2/4] Snyk Security Scan integration Signed-off-by: Bonface Shisakha Asunga --- .github/workflows/snyk-security-scan.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index 75ae1986f..cf3f13a92 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -1,16 +1,21 @@ name: Snyk Security Scan GitHub Actions on: push: - - master - - develop + branches: + - master + - develop pull-request: jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@master + - name: Install SDK + run: echo "y" | sudo ${ANDROID_HOME}/tools/bin/sdkmanager --install "ndk;21.0.6113669" --sdk_root=${ANDROID_SDK_ROOT} + - name: Grant execute permission for gradlew + run: chmod +x gradlew - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/gradle@master + uses: snyk/actions/gradle-jdk11@master continue-on-error: true # To make sure that SARIF upload gets called env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 86ab3cb023552e60d11c1ba78c02ce6cebf1fc2a Mon Sep 17 00:00:00 2001 From: Bonface Shisakha Asunga Date: Mon, 14 Nov 2022 15:18:00 +0300 Subject: [PATCH 3/4] Add --stacktrace option Signed-off-by: Bonface Shisakha Asunga --- .github/workflows/snyk-security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index cf3f13a92..e6b9e634a 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -20,7 +20,7 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --sarif-file-output=snyk.sarif --severity-threshold=high + args: --sarif-file-output=snyk.sarif --severity-threshold=high --stacktrace - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: From 90d7f0610e121e9412cacae2cf2c98a15dbe9516 Mon Sep 17 00:00:00 2001 From: Bonface Shisakha Asunga Date: Mon, 14 Nov 2022 16:37:21 +0300 Subject: [PATCH 4/4] Add action to create local.properties Signed-off-by: Bonface Shisakha Asunga --- .github/workflows/snyk-security-scan.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml index e6b9e634a..67ed14390 100644 --- a/.github/workflows/snyk-security-scan.yml +++ b/.github/workflows/snyk-security-scan.yml @@ -4,7 +4,7 @@ on: branches: - master - develop - pull-request: + pull_request: jobs: security: runs-on: ubuntu-latest @@ -14,6 +14,10 @@ jobs: run: echo "y" | sudo ${ANDROID_HOME}/tools/bin/sdkmanager --install "ndk;21.0.6113669" --sdk_root=${ANDROID_SDK_ROOT} - name: Grant execute permission for gradlew run: chmod +x gradlew + - name: Decode & Generate local.properties file + run: echo $LOCAL_PROPERTIES | base64 -di > local.properties + env: + LOCAL_PROPERTIES: ${{ secrets.LOCAL_PROPERTIES }} - name: Run Snyk to check for vulnerabilities uses: snyk/actions/gradle-jdk11@master continue-on-error: true # To make sure that SARIF upload gets called