Skip to content

Snyk Scan

Snyk Scan #175

Workflow file for this run

# Run Snyk nightly to scan and report security issues.
name: Snyk Scan
# Job will run nightly at 02:05 EDT / 01:05 CDT
# Time below is UTC
on:
schedule:
- cron: "5 6 * * *"
workflow_dispatch:
permissions:
contents: read
jobs:
security-scan:
# This workflow only runs on the main liquibase repo, not in forks
if: github.repository == 'liquibase/liquibase'
name: Snyk Security Scan
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v3
- name: Set up JDK 11
uses: actions/setup-java@v3
with:
java-version: 11
distribution: 'temurin'
cache: 'maven'
## Need to install the snyk CLI and not use the github action because the action runs snyk in a separate docker container which does not have access to the installed sub-modules.
- name: Install snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
curl -s https://static.snyk.io/cli/latest/snyk-linux -o snyk
ls -l snyk
chmod 755 snyk
./snyk config set api="$SNYK_TOKEN"
## When snyk --all-projects is ran, it runs `mvn dependency:tree` against each pom individually, and since they reference dependencies on liquibase-core:0-SNAPSHOT etc. those dependencies need to be installed for dependency:tree to succeed.
## This builds and installs the sub-modules so they are available.
- name: Install modules
run: |
mvn -B test-compile install -DskipTests=true
## snyk monitor requires --all-projects because otherwise it only reports on the dependencies of one of the sub-modules. It would be nice if we could have one snyk project which included all the sub-modules in it, but that doesn't seem possible at this point
## Run monitor before test, so that we report results even if the test step fails
- name: Report snyk status to web UI
run: |
./snyk monitor --all-projects --org=datical --policy-path=.snyk -- -B -Dscope=compile
## snyk test requires --all-projects because otherwise it does not fail the run when a problem is found. It just prints "no direct upgrade or path" and continues on
## Running with -Dscope=compile in order to report only on shipped modules, not "test" or "provided" scope ones
- name: Run Snyk Test to check for vulnerabilities
run: |
./snyk test --fail-on=all --all-projects --severity-threshold=low --org=datical --policy-path=.snyk -- -B -Dscope=compile
- name: Slack Notification
if: ${{ failure() }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: team-liquibase-community
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
SLACK_MESSAGE: "${{ github.job }}: ${{ job.status }} @here"
SLACK_USERNAME: "liquibot"
SLACK_WEBHOOK: ${{ secrets.SNYK_LIQUIBASE_SLACK_WEBHOOK }}
MSG_MINIMAL: actions url
SLACK_ICON_EMOJI: ':liquibase:'
SLACK_LINK_NAMES: true