2.11.5c: add scan-with-codeql action #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name of the GitHub Actions workflow | |
| name: Scan PHP code with Snyk Code | |
| # Define when the workflow should be triggered | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - development | |
| pull_request: | |
| # Trigger when code is pushed or pull requests are opened/updated on 'main' and 'development' branches | |
| # Define the job(s) to be executed within the workflow | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| name: Run Snyk | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| # Define an environment variable 'SNYK_TOKEN' to securely store your Snyk token | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| # Action to check out the code from the repository | |
| # This step fetches the codebase from your GitHub repository | |
| - name: Install Snyk & Authenticate | |
| run: | | |
| # Install Snyk globally and authenticate using the provided token | |
| sudo npm install -g snyk | |
| snyk auth ${SNYK_TOKEN} | |
| # The 'SNYK_TOKEN' is securely stored as a GitHub secret | |
| - name: Run Snyk Code | |
| run: | | |
| # Run Snyk Code to scan PHP code | |
| snyk code test -d --org="5647cfeb-45c0-4c43-89a1-3459fe25c145" --sarif > snyk-results.sarif | |
| # Use the provided organization ID and generate SARIF report | |
| continue-on-error: true | |
| # Continue to the next step even if Snyk encounters errors | |
| - name: Upload results from Snyk to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: snyk-results.sarif | |
| # Action to upload the results of the Snyk scan in SARIF format |