ESLint, Tests, and Snyk #206
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ESLint, Tests, and Snyk | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "30 15 * * 5" | |
| jobs: | |
| Eslint_QL: | |
| name: Run ESLint scanning | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Install Node.js | |
| uses: actions/setup-node@v3 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Install ESLint | |
| run: | | |
| npm install eslint | |
| npm install @microsoft/eslint-formatter-sarif@2.1.7 | |
| npm install @typescript-eslint/eslint-plugin | |
| npm install @typescript-eslint/parser | |
| npm install eslint-plugin-react | |
| npm install eslint-config-prettier | |
| - name: Run ESLint | |
| run: | | |
| npx eslint . --config .eslintrc.json --ext .js,.jsx,.ts,.tsx --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif | |
| continue-on-error: true | |
| - name: Fix SARIF file | |
| run: | | |
| node -e " | |
| const fs = require('fs'); | |
| const sarif = JSON.parse(fs.readFileSync('eslint-results.sarif', 'utf8')); | |
| sarif.runs[0].results.forEach(result => { | |
| if (result.suppressions) { | |
| result.suppressions = Array.from(new Set(result.suppressions.map(JSON.stringify))).map(JSON.parse); | |
| } | |
| }); | |
| fs.writeFileSync('eslint-results-fixed.sarif', JSON.stringify(sarif)); | |
| " | |
| - name: Upload analysis results to GitHub | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: eslint-results-fixed.sarif | |
| wait-for-processing: true | |
| Code_QL: | |
| needs: Eslint_QL | |
| name: Analyze | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ["javascript", "typescript"] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| Run_Snyk_Tests: | |
| needs: Code_QL | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Install Node.js | |
| uses: actions/setup-node@v3 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Install Snyk | |
| run: npm install -g snyk | |
| - name: Cache | |
| uses: actions/cache@v3.1.0-beta.1 | |
| continue-on-error: true | |
| with: | |
| # See here for caching with `yarn` https://github.com/actions/cache/blob/main/examples.md#node---yarn or you can leverage caching with actions/setup-node https://github.com/actions/setup-node | |
| path: | | |
| ~/.npm | |
| ${{ github.workspace }}/.next/cache | |
| # Generate a new cache whenever packages or source files change. | |
| key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} | |
| # If source files changed but packages didn't, rebuild from a prior cache. | |
| restore-keys: | | |
| ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}- | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| with: | |
| args: --all-projects --severity-threshold=high --json > snyk_report.json || true | |
| - name: Ensure Snyk report exists | |
| run: | | |
| if [ ! -f snyk_report.json ]; then | |
| echo "{}" > snyk_report.json | |
| fi | |
| - name: Run Snyk to check for vulnerabilities | |
| run: snyk code test --sarif > snyk-code.sarif || true | |
| - name: Snyk IaC test and report | |
| run: snyk iac test --report || true | |
| - name: Upload Snyk report | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: snyk_report | |
| path: snyk_report.json | |
| Run_App_Tests: | |
| needs: Code_QL | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Install Node.js | |
| uses: actions/setup-node@v3 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Install Snyk | |
| run: npm install -g snyk | |
| - name: Cache | |
| uses: actions/cache@v3.1.0-beta.1 | |
| continue-on-error: true | |
| with: | |
| # See here for caching with `yarn` https://github.com/actions/cache/blob/main/examples.md#node---yarn or you can leverage caching with actions/setup-node https://github.com/actions/setup-node | |
| path: | | |
| ~/.npm | |
| ${{ github.workspace }}/.next/cache | |
| # Generate a new cache whenever packages or source files change. | |
| key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} | |
| # If source files changed but packages didn't, rebuild from a prior cache. | |
| restore-keys: | | |
| ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}- |