diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 000000000..377ba1fc0 --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,65 @@ +name: Snyk + +on: + merge_group: + pull_request_target: + types: + - opened + - synchronize + push: + branches: + - master + schedule: + - cron: "30 0 1,15 * *" + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + authorize: + name: Authorize + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + + check: + needs: authorize # Require approval before running on forked pull requests + + name: Check for Vulnerabilities + runs-on: windows-2022 + + steps: + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.merge_commit_sha || github.ref }} + + - name: Install .NET Core + uses: actions/setup-dotnet@v3 + with: + dotnet-version: "6.0.x" + + - name: Dotnet Restore + run: dotnet restore + + # Install Snyk + - run: npm install snyk -g + + # Check that project is registered with Snyk when triggered from master branch + - if: github.ref == 'refs/heads/master' + run: snyk monitor --file=Auth0.Net.sln + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + continue-on-error: true + + # Report vulnerabilities + - run: snyk test --file=Auth0.Net.sln + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}