Skip to content

Kyu6

Kyu6 #45

Workflow file for this run

---
name: "Snyk"
on: # yamllint disable-line rule:truthy
pull_request_target:
types:
- opened
- edited
- synchronize
- reopened
workflow_call:
secrets:
snyk_token:
description:
'A Snyk token passed from the caller workflow'
required: true
jobs:
security:
permissions:
# for actions/checkout to fetch code
contents: read
# for github/codeql-action/upload-sarif to upload SARIF results
security-events: write
# only required for a private repository by
# github/codeql-action/upload-sarif to get the Action run status
actions: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: snyk/actions/setup@master
# Source: https://github.com/actions/setup-python
- uses: actions/setup-python@v5
with:
python-version: '3.11'
check-latest: true
- name: Install python prerequisites
run:
python -m pip install -r requirements.txt
# If you want to send data to Snyk, and be alerted when new
# vulnerabilities are discovered, you can run Snyk monitor like so:
- name: Run Snyk to send data to Snyk
run:
snyk monitor
env:
token: ${{ secrets.snyk_token }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Check/Upgrade setuptools version
run: |
python --version
python -m pip install --upgrade pip wheel
yes | python -m pip uninstall setuptools
python -m pip install --upgrade setuptools
python -m pip show setuptools
- name: Run Snyk to check for vulnerabilities
# yamllint disable rule:line-length
run:
snyk test --sarif-file-output=snyk.sarif --file=requirements.txt --package-manager=pip
# yamllint enable rule:line-length
env:
token: ${{ secrets.snyk_token }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# To make sure that SARIF upload gets called
# continue-on-error: true
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
# Run a github-actions step, even if the previous step fails,
# while still failing the job
if: success() || failure()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif