From d8cef334b46d84f46367e20b54077332df6d4755 Mon Sep 17 00:00:00 2001 From: Ethan Date: Tue, 31 May 2022 08:45:11 -0400 Subject: [PATCH 1/2] Snyk SBOM workflow add --- .github/workflows/snyk.yml | 60 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 0000000000000..bbbf9284cc3d8 --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,60 @@ +name: Snyk SBOM CI + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + snyk_scans: + + runs-on: ubuntu-latest + + steps: + + - uses: actions/checkout@v3 + - name: Run Snyk to check for vulnerabilities - sarif output + continue-on-error: true + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --all-projects --sarif-file-output=${{ github.event.repository.name }}.sarif --strict-out-of-sync=false + + - name: Run Snyk to check for vulnerabilities - json output + continue-on-error: true + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --json --all-projects --json-file-output=${{ github.event.repository.name }}.json --strict-out-of-sync=false + + - name: Use Node.js 18.x + uses: actions/setup-node@v2 + with: + node-version: 18.x + cache: 'npm' + + - name: install snyk-to-html + run: | + npm install snyk-to-html snyk2spdx snyk -g + snyk auth ${{ secrets.SNYK_TOKEN }} + snyk-to-html -i ${{ github.event.repository.name }}.json -o ${{ github.event.repository.name }}.html + snyk test --json --strict-out-of-sync=false | snyk2spdx --output ${{ github.event.repository.name }}.spdx + + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ github.event.repository.name }}.sarif + + - name: Create results dir + run: mkdir -p snyk_scans && cp -v ${{ github.event.repository.name }}.{html,json,sarif,spdx} snyk_scans/ + + - name: Use the Upload Artifact GitHub Action + uses: actions/upload-artifact@v2 + with: + name: snyk_scans + path: snyk_scans \ No newline at end of file From 5db7303175ead57d56b28dce34687debb608adda Mon Sep 17 00:00:00 2001 From: Ethan Date: Tue, 31 May 2022 09:27:18 -0400 Subject: [PATCH 2/2] Update snyk.yml --- .github/workflows/snyk.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index bbbf9284cc3d8..824d888b1af3c 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v3 - name: Run Snyk to check for vulnerabilities - sarif output continue-on-error: true - uses: snyk/actions/node@master + uses: snyk/actions/golang@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: @@ -25,19 +25,13 @@ jobs: - name: Run Snyk to check for vulnerabilities - json output continue-on-error: true - uses: snyk/actions/node@master + uses: snyk/actions/golang@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: command: test args: --json --all-projects --json-file-output=${{ github.event.repository.name }}.json --strict-out-of-sync=false - - name: Use Node.js 18.x - uses: actions/setup-node@v2 - with: - node-version: 18.x - cache: 'npm' - - name: install snyk-to-html run: | npm install snyk-to-html snyk2spdx snyk -g @@ -57,4 +51,4 @@ jobs: uses: actions/upload-artifact@v2 with: name: snyk_scans - path: snyk_scans \ No newline at end of file + path: snyk_scans