security-scan.yml

name: Security Scan

on:
  pull_request:
    branches: [master]
  schedule:
    - cron: '0 12 * * 1' # 12pm UTC every Monday
  workflow_dispatch:

jobs:
  scan-code:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Snyk code scan
        uses: snyk/actions/node@master
        if: always()
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_API_KEY }}
        with:
          command: code test --all-sub-projects --severity-threshold=medium

      - name: Snyk dependency scan
        uses: snyk/actions/node@master
        if: always()
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_API_KEY }}
        with:
          args: --all-sub-projects --severity-threshold=high

      - name: Slack Alert on Failure
        if: failure()
        id: slack
        uses: slackapi/slack-github-action@v1.27.0
        with:
          channel-id: ${{ vars.SLACK_DUCKBOT_SECURITY_SCAN_ALERT_CHANNEL_ID}}
          payload: |
            {
              "text": "Security Scan Failed"
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "GitHub Action build result: ${{ job.status }}\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
                  }
                }
              ]
            }
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_DUCKBOT_API_KEY }}