diff --git a/.github/workflows/security-app.yaml b/.github/workflows/security-app.yaml new file mode 100644 index 0000000000..17daaa989e --- /dev/null +++ b/.github/workflows/security-app.yaml @@ -0,0 +1,82 @@ +name: Security App + +on: + workflow_call: + inputs: + ref: + type: string + default: 5.3.0 + required: false + project: + type: string + required: true + schedule: + # Weekly on Monday at 00:00 UTC + - cron: 0 0 * * 1 + +jobs: + dependency-scan-api: + if: github.event_name == 'schedule' || inputs.project == 'api' + name: API + runs-on: ubuntu-latest + defaults: + run: + working-directory: app/api + env: + # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961. + REMOTE_REPOSITORY: dvsa/olcs-backend + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ env.REMOTE_REPOSITORY }} + path: app/api + - name: Setup Snyk + uses: snyk/actions/setup@master + - name: Scan api repository + run: snyk test + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + dependency-scan-selfserve: + if: github.event_name == 'schedule' || inputs.project == 'selfserve' + name: Selfserve + runs-on: ubuntu-latest + defaults: + run: + working-directory: app/selfserve + env: + # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961. + REMOTE_REPOSITORY: dvsa/olcs-selfserve + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ env.REMOTE_REPOSITORY }} + path: app/selfserve + - name: Setup Snyk + uses: snyk/actions/setup@master + - name: Scan selfserve repository + run: snyk test + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + dependency-scan-internal: + if: github.event_name == 'schedule' || inputs.project == 'internal' + name: Internal + runs-on: ubuntu-latest + defaults: + run: + working-directory: app/internal + env: + # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961. + REMOTE_REPOSITORY: dvsa/olcs-internal + steps: + - uses: actions/checkout@v4 + with: + repository: ${{ env.REMOTE_REPOSITORY }} + path: app/internal + - name: Setup Snyk + uses: snyk/actions/setup@master + - name: Scan internal repository + run: snyk test + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}