nodejs-goof-insights/.github/workflows/snyk-ci.yaml at 0bcbacac80b496f972b60392f6347ea4214e4b91 · iuriikogan-snyk/nodejs-goof-insights · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: DEMO CI Action
## requires SNYK_TOKEN and SNYK_ORG_ID secret
on:
  workflow_dispatch:
  pull_request:
    branches: main

env:
  IMAGE_NAME: nodejs-goof-insights
  IMAGE_TAG: v1.1.9
  PLATFORM: linux/amd64
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}

jobs:
  build:
    name: Snyk Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
      - name: Use Node.js 20.x
        uses: actions/setup-node@v2
        with:
          node-version: 20.x

      - name: Build project
        run: npm install --legacy-peer-deps

      - name: Setup Snyk + snyk-filter # For information about the required commands https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ci-cd-integrations
        run: |
          npm install snyk snyk-filter -g
          snyk auth $SNYK_TOKEN --auth-type=token

      - name: Snyk Open Source
        run: |
          snyk test --json | snyk-filter
        ## you can edit the .snyk-filter/snyk.yaml file in order to apply additional filters
        continue-on-error: true
        # snyk test --json --print-deps | snyk-delta --setPassIfNoBaseline false ## you can use snyk-delta to diff between previous snapshots for the same project

    # Use git submodules to centrally manage a .snyk policy file
      - name: Checkout .snyk file from private repo
        uses: actions/checkout@v4
        with:
          repository: iuriikogan-snyk/snyk-policy-master
          path: 'snyk'
          token: ${{ secrets.SNYK_REPO_TOKEN }}

      - name: Snyk Code
        run: |
          cp ./snyk/.snyk ./.snyk
          echo $(cat ./snyk/snyk_sha) | sha256sum -c -
          snyk code test
        # --policy-path='snyk'
        continue-on-error: true

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Snyk Container Test

        run: |
          docker build -f ./Dockerfile . \
          --tag ${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} --platform=${{ env.PLATFORM }}

          snyk container test ${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} --file=Dockerfile \
          --exclude-app-vulns --platform=${{ env.PLATFORM }}

        # Rename your image, for uploading directly to your snyk org please use the command "snyk container monitor $container_name/$tag --org=$ORG_ID"
        continue-on-error: true

      - name: Snyk IaC
        run: snyk iac test --org=${{ secrets.SNYK_ORG_ID }}
        continue-on-error: true