ci: add snyk scanning

adding snyk github action to run when a PR is merged to the release branch or when a new release is done. Run snyk weekly on the devel branch. This will help us to track the security scanning results and fix if anything is required and also it serves as a placeholder for security scanning result for a while. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
ceph · Nov 15, 2023 · aa0c660 · aa0c660
1 parent 593d9c3
commit aa0c660
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
@@ -0,0 +1,30 @@
+---
+name: Security scanning
+# yamllint disable-line rule:truthy
+on:
+  schedule:
+    # Run weekly on Monday
+    - cron: '0 0 * * 1'
+  push:
+    tags:
+      - v*
+    branches:
+      - release-*
+
+permissions:
+  contents: read
+
+jobs:
+  security:
+    if: github.repository == 'ceph/ceph-csi'
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: run Snyk to check for code vulnerabilities
+        uses: snyk/actions/golang@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}