forked from liquibase/liquibase
69 lines (59 loc) · 3.32 KB
/
snyk.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Run Snyk nightly to scan and report security issues.
name: Snyk Scan
# Job will run nightly at 02:05 EDT / 01:05 CDT
# Time below is UTC
on:
schedule:
- cron: "5 6 * * *"
workflow_dispatch:
jobs:
security-scan:
# This workflow only runs on the main liquibase repo, not in forks
if: github.repository == 'liquibase/liquibase'
name: Snyk Security Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up JDK 8
uses: actions/setup-java@v2
with:
java-version: 8
distribution: 'adopt'
cache: 'maven'
## Need to install the snyk CLI and not use the github action because the action runs snyk in a separate docker container which does not have access to the installed sub-modules.
- name: Install snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
curl -s https://static.snyk.io/cli/latest/snyk-linux -o snyk
ls -l snyk
chmod 755 snyk
./snyk config set api="$SNYK_TOKEN"
## When snyk --all-projects is ran, it runs `mvn dependency:tree` against each pom individually, and since they reference dependencies on liquibase-core:0-SNAPSHOT etc. those dependencies need to be installed for dependency:tree to succeed.
## This builds and installs the sub-modules so they are available. The liquibase-core:test module has to be installed manually since it wasn't coming along with the regular mvn install
- name: Install modules
run: |
mvn -B -pl '!liquibase-dist' test-compile install -DskipTests=true
mvn -B org.apache.maven.plugins:maven-install-plugin:3.0.0-M1:install-file -Dfile=liquibase-core/target/liquibase-core-0-SNAPSHOT-tests.jar -Dpackaging=jar -Dclassifier=tests -DgroupId=org.liquibase -DartifactId=liquibase-core
## snyk monitor requires --all-projects because otherwise it only reports on the dependencies of one of the sub-modules. It would be nice if we could have one snyk project which included all the sub-modules in it, but that doesn't seem possible at this point
## Run monitor before test, so that we report results even if the test step fails
- name: Report snyk status to web UI
run: |
./snyk monitor --all-projects --org=datical --policy-path=.snyk -- -B -Dscope=compile
## snyk test requires --all-projects because otherwise it does not fail the run when a problem is found. It just prints "no direct upgrade or path" and continues on
## Running with -Dscope=compile in order to report only on shipped modules, not "test" or "provided" scope ones
- name: Run Snyk Test to check for vulnerabilities
run: |
./snyk test --fail-on=all --all-projects --severity-threshold=high --org=datical --policy-path=.snyk -- -B -Dscope=compile
- name: Slack Notification
if: ${{ failure() }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: team-liquibase
SLACK_COLOR: ${{ job.status }} # or a specific color like 'good' or '#ff00ff'
SLACK_MESSAGE: "${{ github.job }}: ${{ job.status }} @here"
SLACK_USERNAME: "liquibot"
SLACK_WEBHOOK: ${{ secrets.SNYK_LIQUIBASE_SLACK_WEBHOOK }}
MSG_MINIMAL: actions url
SLACK_ICON_EMOJI: ':liquibase:'
SLACK_LINK_NAMES: true