Skip to content
Snyk scan

ci: add phylum analysis job #25

Sign in to view logs

ci: add phylum analysis job

ci: add phylum analysis job #25

Workflow file for this run

.github/workflows/pr_and_main.yml at 21b970f
name: "Snyk scan"
on:
pull_request:
push:
branches:
- main
jobs:
phylum_analyze:

Check failure on line 10 in .github/workflows/pr_and_main.yml

View workflow run for this annotation

GitHub Actions / Snyk scan

Invalid workflow file 

The workflow is not valid. .github/workflows/pr_and_main.yml (Line: 10, Col: 3): Error calling workflow 'radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main'. The nested job 'phylum_analyze' is requesting 'pull-requests: write, id-token: write', but is only allowed 'pull-requests: none, id-token: none'.
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/phylum-analyze.yml@main
secrets:
phylum_api_key: ${{ secrets.PHYLUM_API_KEY }}
snyk_scan_deps_licences:
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- name: Run Snyk to check for deps vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ secrets.SNYK_ORG_ID }} --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
snyk_scan_code:
runs-on: ubuntu-latest
steps:
- uses: RDXWorks-actions/checkout@main
- name: Run Snyk to check for code vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ secrets.SNYK_ORG_ID }} --severity-threshold=high
command: code test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
snyk_sbom:
runs-on: ubuntu-latest
needs:
- snyk_scan_deps_licences
- snyk_scan_code
steps:
- uses: RDXWorks-actions/checkout@main
- name: Generate SBOM # check SBOM can be generated but nothing is done with it
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ secrets.SNYK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
command: sbom
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
snyk_online_monitor:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: RDXWorks-actions/checkout@main
- name: Enable Snyk online monitoring to check for vulnerabilities
uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
with:
args: --all-projects --org=${{ secrets.SNYK_ORG_ID }}
command: monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}