Snyk Scan #170
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run Snyk nightly to scan and report security issues. | |
name: Snyk Scan | |
# Job will run nightly at 02:05 EDT / 01:05 CDT | |
# Time below is UTC | |
on: | |
schedule: | |
- cron: "5 6 * * *" | |
workflow_dispatch: | |
permissions: | |
contents: read | |
jobs: | |
security-scan: | |
# This workflow only runs on the main liquibase repo, not in forks | |
if: github.repository == 'liquibase/liquibase' | |
name: Snyk Security Scan | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up JDK 11 | |
uses: actions/setup-java@v3 | |
with: | |
java-version: 11 | |
distribution: 'temurin' | |
cache: 'maven' | |
## Need to install the snyk CLI and not use the github action because the action runs snyk in a separate docker container which does not have access to the installed sub-modules. | |
- name: Install snyk | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
curl -s https://static.snyk.io/cli/latest/snyk-linux -o snyk | |
ls -l snyk | |
chmod 755 snyk | |
./snyk config set api="$SNYK_TOKEN" | |
## When snyk --all-projects is ran, it runs `mvn dependency:tree` against each pom individually, and since they reference dependencies on liquibase-core:0-SNAPSHOT etc. those dependencies need to be installed for dependency:tree to succeed. | |
## This builds and installs the sub-modules so they are available. | |
- name: Install modules | |
run: | | |
mvn -B test-compile install -DskipTests=true | |
## snyk monitor requires --all-projects because otherwise it only reports on the dependencies of one of the sub-modules. It would be nice if we could have one snyk project which included all the sub-modules in it, but that doesn't seem possible at this point | |
## Run monitor before test, so that we report results even if the test step fails | |
- name: Report snyk status to web UI | |
run: | | |
./snyk monitor --all-projects --org=datical --policy-path=.snyk -- -B -Dscope=compile | |
## snyk test requires --all-projects because otherwise it does not fail the run when a problem is found. It just prints "no direct upgrade or path" and continues on | |
## Running with -Dscope=compile in order to report only on shipped modules, not "test" or "provided" scope ones | |
- name: Run Snyk Test to check for vulnerabilities | |
run: | | |
./snyk test --fail-on=all --all-projects --severity-threshold=low --org=datical --policy-path=.snyk -- -B -Dscope=compile | |
- name: Slack Notification | |
if: ${{ failure() }} | |
uses: rtCamp/action-slack-notify@v2 | |
env: | |
SLACK_CHANNEL: team-liquibase-community | |
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff' | |
SLACK_MESSAGE: "${{ github.job }}: ${{ job.status }} @here" | |
SLACK_USERNAME: "liquibot" | |
SLACK_WEBHOOK: ${{ secrets.SNYK_LIQUIBASE_SLACK_WEBHOOK }} | |
MSG_MINIMAL: actions url | |
SLACK_ICON_EMOJI: ':liquibase:' | |
SLACK_LINK_NAMES: true |