adding Snyk code SAST in addition to vulerability test in workflows (0…

…xPolygon#823) * adding Snyk code SAST in addition to vulerability test in workflows * updating job name to avoid dupe * separating code to its own job * syntax * Setting severity threshhold for license vul to high * adding explicit snyk org * adding snyk org secrets to devnet and testnet workflow * syntax * missed
NEXTEP-CXS · Oct 21, 2022 · 46a988b · 46a988b
1 parent c45f751
commit 46a988b
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,5 +23,20 @@ jobs:
       - uses: actions/checkout@master
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/golang@master
+        with:
+          args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=high
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  snyk-code:
+    name: Snyk Code
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk SAST to check for code vulnerabilities
+        uses: snyk/actions/golang@master
+        with:
+          command: code test
+          args: --org=${{ secrets.SNYK_ORG }}
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/deploy.devnet.yml b/.github/workflows/deploy.devnet.yml
@@ -18,6 +18,7 @@ jobs:
     uses: 0xpolygon/polygon-edge/.github/workflows/security.yml@develop
     secrets:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      SNYK_ORG: ${{ secrets.SNYK_ORG }}
 
   build:
     name: Build

diff --git a/.github/workflows/deploy.testnet.yml b/.github/workflows/deploy.testnet.yml
@@ -17,6 +17,7 @@ jobs:
     uses: 0xpolygon/polygon-edge/.github/workflows/security.yml@develop
     secrets:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      SNYK_ORG: ${{ secrets.SNYK_ORG }}
 
   build:
     uses: 0xpolygon/polygon-edge/.github/workflows/build.yml@develop

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -5,6 +5,8 @@ on:  # yamllint disable-line rule:truthy
     secrets:
       SNYK_TOKEN:
         required: true
+      SNYK_ORG:
+        required: true
   workflow_dispatch: {}
   schedule:
     - cron: '0 0 * * 0'
@@ -23,7 +25,26 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --sarif-file-output=snyk.sarif
+          args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+  snyk-code:
+    name: Snyk Code and Publish
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@master
+      - name: Run Snyk SAST to check for vulnerabilities
+        uses: snyk/actions/golang@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif
+          command: code test
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
         with: