-
Notifications
You must be signed in to change notification settings - Fork 175
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(scalaSBT): add new Scala SBT action (#144)
- Loading branch information
Showing
4 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
# Snyk SBT1.10.0 (Scala3.4.2) Action | ||
|
||
A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for | ||
vulnerabilities in your SBT1.10.0-Scala3.4.2 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. | ||
|
||
|
||
You can use the Action as follows: | ||
|
||
```yaml | ||
name: Example workflow for SBT1.10.0 using Snyk | ||
on: push | ||
jobs: | ||
security: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@master | ||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/sbt1.10.0-scala3.4.2@master | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
``` | ||
|
||
## Properties | ||
|
||
The Snyk SBT1.10.0 Action has properties which are passed to the underlying image. These are passed to the action using `with`. | ||
|
||
| Property | Default | Description | | ||
| -------- | ------- | --------------------------------------------------------------------------------------------------- | | ||
| args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | | ||
| command | test | Specify which command to run, for instance test or monitor | | ||
| json | false | In addition to the stdout, save the results as snyk.json | | ||
|
||
For example, you can choose to only report on high severity vulnerabilities. | ||
|
||
```yaml | ||
name: Example workflow for SBT1.10.0 using Snyk | ||
on: push | ||
jobs: | ||
security: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@master | ||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/sbt1.10.0-scala3.4.2@master | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
args: --severity-threshold=high | ||
``` | ||
|
||
## Uploading Snyk scan results to GitHub Code Scanning | ||
|
||
Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. | ||
|
||
![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) | ||
|
||
The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: | ||
|
||
```yaml | ||
name: Example workflow for SBT1.10.0 using Snyk | ||
on: push | ||
jobs: | ||
security: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@master | ||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/sbt1.10.0-scala3.4.2@master | ||
continue-on-error: true # To make sure that SARIF upload gets called | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
args: --sarif-file-output=snyk.sarif | ||
- name: Upload result to GitHub Code Scanning | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: snyk.sarif | ||
``` | ||
|
||
Made with 💜 by Snyk | ||
|
||
[cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' | ||
[cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
name: "Snyk SBT1.10.0 (Scala3.4.2)" | ||
description: "Check your SBT1.10.0 application for vulnerabilties using Snyk" | ||
author: "Gareth Rushgrove" | ||
branding: | ||
icon: "alert-triangle" | ||
color: "yellow" | ||
inputs: | ||
command: | ||
description: "Which Snyk command to run, defaults to test" | ||
default: test | ||
args: | ||
description: "Additional arguments to pass to Snyk" | ||
json: | ||
description: "Output a snyk.json file with results if running the test command" | ||
default: false | ||
runs: | ||
using: "docker" | ||
image: "docker://snyk/snyk:sbt1.10.0-scala3.4.2" | ||
env: | ||
FORCE_COLOR: 2 | ||
SNYK_INTEGRATION_NAME: GITHUB_ACTIONS | ||
SNYK_INTEGRATION_VERSION: sbt1.10.0-scala3.4.2 | ||
args: | ||
- snyk | ||
- ${{ inputs.command }} | ||
- ${{ inputs.args }} |