Merge pull request #155 from ncats/removesnyk

Removesnyk

.github/workflows/codeql.yml

@@ -27,7 +27,8 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners (GitHub.com only)
     # Consider using larger runners or machines with greater resources for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    runs-on:
+      group: ncats-onprem-internal-runners
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
       # required for all workflows

.github/workflows/snyk-zap-ramp-client.yaml → .github/workflows/snyk-ramp-client.yaml

@@ -1,5 +1,5 @@
 # Define the name of the workflow
-name: snyk-zap-client
+name: snyk-client
 
 # Define variables
 env:
@@ -16,7 +16,6 @@ on:
 
 # Define the jobs that will be executed as part of the workflow 
 jobs:
-  # Job to build and push the ZAP Docker image to Docker Hub
   Snyk-Docker-Image:
     runs-on:
       group: ncats-onprem-internal-runners
@@ -80,78 +79,6 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_CLI }}
         with:
+          command: monitor
           image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION
           args: --sarif-file-output=snyk.sarif --file=./apps/ramp-client/Dockerfile
-
-      - name: Replace security-severity undefined for license-related findings 
-        run: |
-          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
-          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
-
-      # Step 6: Upload result to GitHub Code Scanning
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: snyk.sarif 
-
-      # Step 7: Generate Security Report
-      - name: Generate Security Report
-        continue-on-error: true
-        uses: rsdmike/[email protected]
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            sarifReportDir: .
-
-      # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download.
-      - name: Upload Artifacts
-        continue-on-error: true
-        uses: actions/upload-artifact@v4
-        with: 
-            name: reports
-            path: ./*.pdf
-
-  ZAP-Docker-Scan:
-    needs: Snyk-Docker-Image
-    runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}}
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      issues: write
-
-    steps:
-      # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job
-      - name: Get BUILD_VERSION from Snyk-Docker-Image job
-        id: get_runner_ip
-        run: |
-          echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV
-          echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)"
-
-      # Step 2: Add the command to start Docker image on port 8000
-      - name: Start Docker image on port 8000
-        continue-on-error: true
-        run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }}
-
-      # Step 3: ZAP BASELINE SCAN
-      - name: ZAP base Scan
-        continue-on-error: true
-        uses: zaproxy/[email protected]
-        with:
-          target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner
-          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fail_action: false
-
-      # Step 4: Stop and remove the Docker container
-      - name: Stop and remove Docker container
-        run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true
-
-      # Step 5: Create SARIF file from ZAP results
-      - name: Create SARIF file from ZAP results
-        uses: SvanBoxel/zaproxy-to-ghas@main
-
-      # Step 6: Upload SARIF file to GitHub Code Scanning
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif

.github/workflows/snyk-zap-ramp-server.yaml → .github/workflows/snyk-ramp-server.yaml

@@ -1,5 +1,5 @@
 # Define the name of the workflow
-name: snyk-zap-server
+name: snyk-server
 
 # Define variables
 env:
@@ -80,78 +80,6 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_CLI }}
         with:
+          command: monitor
           image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION
           args: --sarif-file-output=snyk.sarif --file=./apps/ramp-client/Dockerfile
-
-      - name: Replace security-severity undefined for license-related findings 
-        run: |
-          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
-          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
-
-      # Step 6: Upload result to GitHub Code Scanning
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: snyk.sarif 
-
-      # Step 7: Generate Security Report
-      - name: Generate Security Report
-        continue-on-error: true
-        uses: rsdmike/[email protected]
-        with:
-            token: ${{ secrets.GITHUB_TOKEN }}
-            sarifReportDir: .
-
-      # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download.
-      - name: Upload Artifacts
-        continue-on-error: true
-        uses: actions/upload-artifact@v4
-        with: 
-            name: reports
-            path: ./*.pdf
-
-  ZAP-Docker-Scan:
-    needs: Snyk-Docker-Image
-    runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}}
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      issues: write
-
-    steps:
-      # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job
-      - name: Get BUILD_VERSION from Snyk-Docker-Image job
-        id: get_runner_ip
-        run: |
-          echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV
-          echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)"
-
-      # Step 2: Add the command to start Docker image on port 8000
-      - name: Start Docker image on port 8000
-        continue-on-error: true
-        run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }}
-
-      # Step 3: ZAP BASELINE SCAN
-      - name: ZAP base Scan
-        continue-on-error: true
-        uses: zaproxy/[email protected]
-        with:
-          target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner
-          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
-          token: ${{ secrets.GITHUB_TOKEN }}
-          fail_action: false
-
-      # Step 4: Stop and remove the Docker container
-      - name: Stop and remove Docker container
-        run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true
-
-      # Step 5: Create SARIF file from ZAP results
-      - name: Create SARIF file from ZAP results
-        uses: SvanBoxel/zaproxy-to-ghas@main
-
-      # Step 6: Upload SARIF file to GitHub Code Scanning
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif