Skip to content

Commit

Permalink
Add Semgrep, Dependabot, and Snyk workflows (#565)
Browse files Browse the repository at this point in the history
  • Loading branch information
jimmyjames authored Sep 27, 2023
1 parent 9b16eca commit dc2fd1e
Show file tree
Hide file tree
Showing 5 changed files with 118 additions and 9 deletions.
14 changes: 14 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"

- package-ecosystem: "gradle"
directory: "lib"
schedule:
interval: "daily"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
41 changes: 33 additions & 8 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -1,23 +1,48 @@
name: Semgrep

on:
pull_request: {}

merge_group:
pull_request_target:
types:
- opened
- synchronize
push:
branches: ["master", "main"]

branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
semgrep:
name: Scan
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

run:
needs: authorize # Require approval before running on forked pull requests

name: Check for Vulnerabilities
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep
if: (github.actor != 'dependabot[bot]')

steps:
- uses: actions/checkout@v3
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- run: semgrep ci
env:
Expand Down
47 changes: 47 additions & 0 deletions .github/workflows/snyk.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Snyk

on:
merge_group:
workflow_dispatch:
pull_request:
types:
- opened
- synchronize
push:
branches:
- master
schedule:
- cron: '30 0 1,15 * *'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

jobs:
authorize:
name: Authorize
environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }}
runs-on: ubuntu-latest
steps:
- run: true

check:
needs: authorize

name: Check for Vulnerabilities
runs-on: ubuntu-latest

steps:
- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.

- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}

- uses: snyk/actions/gradle-jdk11@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
14 changes: 14 additions & 0 deletions .snyk
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
- '*':
reason: 'unaffected, only affects createTempFile and createTempDir kotlin function, which are not used'
expires: 2023-12-31T00:00:00.000Z
SNYK-JAVA-ORGBOUNCYCASTLE-5771339:
- '*':
reason: 'test-only dependency, no update available'
expires: 2023-12-31T00:00:00.000Z

patch: {}
11 changes: 10 additions & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,21 @@ dependencies {
implementation "com.auth0:java-jwt:4.4.0"
implementation "net.jodah:failsafe:2.4.4"

testImplementation "org.bouncycastle:bcprov-jdk15on:1.68"
testImplementation "org.bouncycastle:bcprov-jdk15on:1.70"
testImplementation "org.mockito:mockito-core:4.8.1"
testImplementation "com.squareup.okhttp3:mockwebserver:${okhttpVersion}"
testImplementation "org.hamcrest:hamcrest:${hamcrestVersion}"
testImplementation "org.junit.jupiter:junit-jupiter-api:${jupiterVersion}"
testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:${jupiterVersion}"

// Override MockWebServer's junit transitive dependency to latest v4
constraints {
testImplementation( group: 'junit', name: 'junit'){
version{
strictly "[4.13.2]"
}
}
}
}

// Creates a version.txt file containing the current version of the SDK.
Expand Down

0 comments on commit dc2fd1e

Please sign in to comment.