Snyk Security #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Snyk Security | |
on: | |
push: | |
branches: [ "main", "dev" ] | |
pull_request: | |
branches: [ "main", "dev" ] | |
schedule: | |
- cron: '0 0 */7 * *' # Run every 7 days | |
permissions: | |
contents: read | |
jobs: | |
snyk: | |
permissions: | |
contents: read | |
security-events: write | |
actions: read | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
- name: Set up Snyk CLI to check for security issues | |
uses: snyk/actions/setup@v1 | |
with: | |
version: 'v1.1048.0' | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
- name: Snyk Code test | |
run: snyk code test --sarif-file-output=snyk-code.sarif || true | |
- name: Snyk Open Source monitor | |
run: snyk monitor --all-projects | |
- name: Snyk IaC test and report | |
run: snyk iac test --sarif-file-output=snyk-iac.sarif || true | |
- name: Set up Docker | |
uses: docker/setup-buildx-action@v2 | |
- name: Build a Docker image | |
run: docker build -t your/image-to-test . | |
- name: Snyk Container monitor | |
run: snyk container monitor your/image-to-test --file=Dockerfile | |
- name: Upload Snyk Code result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk-code.sarif | |
- name: Upload Snyk IaC result to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: snyk-iac.sarif | |
- name: Install Trivy | |
run: | | |
sudo apt-get update | |
sudo apt-get install wget -y | |
wget https://github.com/aquasecurity/trivy/releases/download/v0.30.4/trivy_0.30.4_Linux-64bit.deb | |
sudo dpkg -i trivy_0.30.4_Linux-64bit.deb | |
# Uncomment the following steps if you need to run Trivy scan | |
# - name: Run Trivy Vulnerability Scan on Docker Image | |
# run: trivy image --security-checks vuln,config --format json --output trivy-results.json your/image-to-test | |
# - name: Upload Trivy Results to GitHub Code Scanning | |
# uses: github/codeql-action/upload-sarif@v3 | |
# with: | |
# sarif_file: trivy-results.json | |
- name: Install OWASP ZAP | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y owasp-zap | |
- name: Run OWASP ZAP Baseline Scan | |
run: zap-baseline.py -t http://localhost:8080 -r zap_report.html || true | |
- name: Upload OWASP ZAP Report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: zap-report | |
path: zap_report.html |