Skip to content

Commit c9dd7cd

Browse files
dealakodealako
committed
CI/CD - Added Snyk C/C++ Scanning Job
- added example C/C++ Code scanner using the Snyk GitHub Action. The `--unmanaged` flag indicates this is for a C/C++ codebase. In this example, it currently scans on a new pull request to the 'main' branch. The repository administrator should set both the SNYK_ORG and SNYK_TOKEN environment variables before merging this PR. The environment variables can be obtained from the LFX Security team. - added *.h, *.c, *.cpp filter to only run the scan when source files are changed Signed-off-by: David Deal <[email protected]>
1 parent 86d0fb0 commit c9dd7cd

File tree

1 file changed

+45
-0
lines changed

1 file changed

+45
-0
lines changed

.github/workflows/snyk-scan-pr.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
---
2+
# SPDX-License-Identifier: BSD-3-Clause
3+
# Copyright (c) Contributors to the OpenEXR Project.
4+
5+
name: Snyk Scan Code
6+
7+
on:
8+
# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
9+
pull_request:
10+
branches:
11+
- main
12+
paths:
13+
- '**.h'
14+
- '**.c'
15+
- '**.cpp'
16+
17+
jobs:
18+
snyk-scan-pr:
19+
runs-on: ubuntu-latest
20+
steps:
21+
- uses: actions/checkout@v4
22+
23+
- uses: snyk/actions/setup@master
24+
id: snyk
25+
26+
- name: Snyk version
27+
run: echo "${{ steps.snyk.outputs.version }}"
28+
29+
- name: Snyk Auth
30+
run: snyk auth ${{ secrets.SNYK_TOKEN }}
31+
32+
- name: Snyk Scan Code
33+
# Scan the C/C++ code for vulnerabilities using the Snyk CLI with the unmanaged flag
34+
# https://docs.snyk.io/scan-using-snyk/supported-languages-and-frameworks/c-c++ for options
35+
run: snyk test --unmanaged --print-dep-paths --org=${{ secrets.SNYK_ORG }}
36+
env:
37+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
38+
continue-on-error: true # optional
39+
40+
- name: Monitor for Vulnerabilities
41+
# To import the test results (issues and dependencies) in the Snyk CLI, run the snyk monitor --unmanaged command:
42+
run: snyk monitor --unmanaged --org=${{ secrets.SNYK_ORG }}
43+
env:
44+
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
45+
continue-on-error: true # optional

0 commit comments

Comments
 (0)