-
Notifications
You must be signed in to change notification settings - Fork 151
54 lines (46 loc) · 1.64 KB
/
snyk-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
name: Test dependencies with Snyk
on:
# Run this check every day at 03:00 to find potential new vulnerabilities in the develop branch
schedule:
- cron: "0 3 * * *"
jobs:
snyk-test:
runs-on: self-hosted
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
with:
ref: develop
- name: Build HORNET Docker image
run: docker build . --file Dockerfile --tag hornet:latest
- name: Run Snyk to check for Golang vulnerabilities
uses: snyk/actions/[email protected]
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --org=gohornet --sarif-file-output=snyk-golang.sarif
- name: Run Snyk to check for Docker image vulnerabilities
uses: snyk/actions/[email protected]
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: hornet:latest
# Exclude Go app vulns because those are picked up by the previous scan
# For Docker scans, the SARIF is created by default
args: --org=gohornet --file=Dockerfile --exclude-app-vulns
- name: Upload Golang results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-golang.sarif
category: snyk-golang
- name: Upload Docker results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
category: snyk-docker