Skip to content

Check for Snyk Vulnerabilities #321

Check for Snyk Vulnerabilities

Check for Snyk Vulnerabilities #321

Workflow file for this run

---
name: Check for Snyk Vulnerabilities
on:
workflow_dispatch:
schedule:
- cron: '0 12 * * *' # every day at 12pm UTC
jobs:
snyk:
name: snyk test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Dependencies
run: |
npm install snyk -g
sudo apt-get update -y
sudo apt-get install -y \
openssl libssl-dev libffi-dev pkg-config libxml2-dev \
libxmlsec1-dev libxmlsec1-openssl libgeos-dev proj-bin
pip3 install -r requirements.txt
- name: Run Snyk Scan
run: |
# Run scan
snyk auth ${{ secrets.SNYK_TOKEN }}
snyk test --file=ckan/requirements.txt --json-file-output=scan.json || echo "Scan complete"
# Exit if no vulnerabilities
# Succeed, so that PR is NOT created
[[ "$(jq '.ok' scan.json)" == "true" ]] && exit 0
# Update requirements.in with the snyk fix suggestions
python tools/snyk-update.py
# Remove unnecessary file so that it doesn't get added to the repo
rm scan.json
# Update requirements.txt
make update-dependencies
# Fail so that PR is created
exit 1
- name: Create Pull Request
if: ${{ failure() }}
id: scpr
uses: peter-evans/create-pull-request@v4
with:
token: ${{ secrets.ADD_TO_PROJECT_PAT }}
commit-message: Update Pip Requirements
committer: Data.gov Github <datagovhelp@gsa.gov>
author: ${{ github.actor }} <datagovhelp@gsa.gov>
signoff: false
branch: requirement-patches
delete-branch: true
title: '[Snyk + GH Actions] Update requirements'
body: |
Update requirements
- Updated `requirements.in` + `requirements.txt`
- Auto-generated by [snyk.yml][1]
[1]: https://github.com/gsa/catalog.data.gov/.github/workflows/snyk.yml
labels: |
requirements
automated pr
snyk
reviewers: GSA/data-gov-team
team-reviewers: |
owners
maintainers
draft: false