Skip to content
This repository has been archived by the owner on Dec 4, 2024. It is now read-only.

Adding Snyk code SAST in addition to vulerability test in workflows #823

Merged
merged 9 commits into from
Oct 21, 2022
Merged

Adding Snyk code SAST in addition to vulerability test in workflows #823

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
60e5bce
adding Snyk code SAST in addition to vulerability test in workflows
epikichi Oct 20, 2022
a820bf6
updating job name to avoid dupe
epikichi Oct 20, 2022
07249ba
separating code to its own job
epikichi Oct 20, 2022
7b0c921
syntax
epikichi Oct 20, 2022
4e9356a
Setting severity threshhold for license vul to high
epikichi Oct 20, 2022
8d6f9e0
adding explicit snyk org
epikichi Oct 20, 2022
891ff6d
adding snyk org secrets to devnet and testnet workflow
epikichi Oct 20, 2022
2da7b5d
syntax
epikichi Oct 20, 2022
b204162
missed
epikichi Oct 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,20 @@ jobs:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/golang@master
with:
args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

snyk-code:
name: Snyk Code
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk SAST to check for code vulnerabilities
uses: snyk/actions/golang@master
with:
command: code test
args: --org=${{ secrets.SNYK_ORG }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
1 change: 1 addition & 0 deletions .github/workflows/deploy.devnet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ jobs:
uses: 0xpolygon/polygon-edge/.github/workflows/security.yml@develop
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG: ${{ secrets.SNYK_ORG }}

build:
name: Build
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/deploy.testnet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ jobs:
uses: 0xpolygon/polygon-edge/.github/workflows/security.yml@develop
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG: ${{ secrets.SNYK_ORG }}

build:
uses: 0xpolygon/polygon-edge/.github/workflows/build.yml@develop
Expand Down
23 changes: 22 additions & 1 deletion .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ on: # yamllint disable-line rule:truthy
secrets:
SNYK_TOKEN:
required: true
SNYK_ORG:
required: true
workflow_dispatch: {}
schedule:
- cron: '0 0 * * 0'
Expand All @@ -23,7 +25,26 @@ jobs:
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
snyk-code:
name: Snyk Code and Publish
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout Source
uses: actions/checkout@master
- name: Run Snyk SAST to check for vulnerabilities
uses: snyk/actions/golang@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif
command: code test
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down