Skip to content

Update .github/workflows/snyk-iac.yml #115

Update .github/workflows/snyk-iac.yml

Update .github/workflows/snyk-iac.yml #115

Workflow file for this run

# This is a Terraform-managed file; manual changes will be overwritten.
# see https://github.com/workloads/github-organization/blob/main/templates/workflows/snyk-iac.tftpl.yml
---
name: "Security: Snyk IaC"
# yamllint disable-line rule:truthy
on:
push:
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions: read-all
jobs:
workflow:
# only run if workflows are enabled
if: ${{ vars.ENABLE_WORKFLOWS == 'true' }}
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#concurrency
concurrency:
group: "${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: true
name: Snyk IaC
# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
security-events: write
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
# see https://github.com/actions/checkout/releases/tag/v4.1.6
- name: Checkout Repository
uses: "actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29" # ref: `tags/v4.1.6`
with:
fetch-depth: 1
# see https://github.com/snyk/actions/releases/tag/0.4.0
- name: Lint Code with Snyk
uses: "snyk/actions@b98d498629f1c368650224d6d212bf7dfa89e4bf" # ref: `tags/0.4.0`
env:
SNYK_ORG: "${{ vars.SNYK_ORG }}"
SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}"
with:
# scan all code in the root of the repository
file: "./"
# see https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code/iac-ignores-using-the-.snyk-policy-file#policy-flags-and-policy-file-notes
args: "--policy-path='.snyk'"
sarif: true
# see https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.17.3
- name: Upload Snyk IaC results to GitHub Code Scanning
uses: "github/codeql-action@a57c67b89589d2d13d5ac85a9fc4679c7539f94c" # ref: `tags/codeql-bundle-v2.17.3`
with:
sarif_file: "snyk.sarif"
workflow-inactive:
# only run if workflows are disabled
if: ${{ vars.ENABLE_WORKFLOWS != 'true' }}
name: Workflow Status
runs-on: ubuntu-latest
timeout-minutes: 1
steps:
- name: Display Workflow Status
# shellcheck disable=SC2006
run: echo "::notice title='Workflow is not currently active'::'Check if `ENABLE_WORKFLOWS` is set to `true`.'"