chore(codeql): setup snyk

brc-dd · May 18, 2024 · 1f7b3d8 · 1f7b3d8
1 parent 7cacbfc
commit 1f7b3d8
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 5 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -47,22 +47,36 @@ jobs:
       - run: pnpm lint && [ -z "$(git status --porcelain)" ]
       - run: pnpm test:deno && pnpm test:bun
 
-  devskim:
-    name: devskim
+  codeql-others:
+    name: codeql (devskim, snyk)
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
     steps:
       - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v3
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
       - uses: microsoft/devskim-action@v1
         with:
           directory-to-scan: src
-      - run: |
-          jq '(.. | select(type == "object" and .artifactLocation and .artifactLocation.uri) | .artifactLocation.uri) |= "src/" + .' devskim-results.sarif > devskim-results.sarif.tmp
-          mv devskim-results.sarif.tmp devskim-results.sarif
+      - run: node scripts/normalize-sarif.js devskim-results.sarif
       - uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: devskim-results.sarif
           category: devskim
+
+      - run: pnpm install -g snyk
+      - run: snyk auth ${{ secrets.SNYK_TOKEN }}
+      - run: snyk monitor --all-projects
+      - run: snyk code test $(realpath src) --sarif > snyk-results.sarif
+      - run: node scripts/normalize-sarif.js snyk-results.sarif
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk-results.sarif
+          category: snyk
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,5 @@ node_modules
 dist
 *.log
 *.tgz
+.dccache
+*.sarif
diff --git a/scripts/normalize-sarif.js b/scripts/normalize-sarif.js
@@ -0,0 +1,29 @@
+import assert from 'node:assert'
+import fs from 'node:fs/promises'
+import path from 'node:path'
+
+const file = path.resolve(process.argv[2])
+const data = await fs.readFile(file, 'utf8')
+const sarif = JSON.parse(data)
+
+function traverse(obj) {
+  for (const key in obj) {
+    if (key === 'uri') {
+      assert(typeof obj[key] === 'string')
+      obj[key] = 'src/' + obj[key]
+    } else if (key === 'uriBaseId') {
+      delete obj[key]
+    } else if (typeof obj[key] === 'object') {
+      traverse(obj[key])
+    }
+  }
+}
+
+traverse(sarif)
+
+if (sarif.version === '2.1.0') {
+  sarif.$schema = 'https://json.schemastore.org/sarif-2.1.0.json'
+}
+
+await fs.writeFile(file + '.tmp', JSON.stringify(sarif, null, 2) + '\n')
+await fs.rename(file + '.tmp', file)