Merge pull request #2 from epidemicsound/implement-snyk-static-scanning

[SECURITY-1505] Implementing Snyk into Github Actions
epidemicsound · Jun 25, 2024 · ba2eb4a · ba2eb4a
2 parents a5e7cf3 + 6e1685b
commit ba2eb4a
Showing 1 changed file with 37 additions and 0 deletions.
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
@@ -0,0 +1,37 @@
+name: Run Snyk Scan -- Go
+on: push
+jobs:
+  snyk-scan-python:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Authenticate to Google Cloud for accessing Snyk token
+        uses: "google-github-actions/auth@v2"
+        with:
+          workload_identity_provider: "projects/747834912006/locations/global/workloadIdentityPools/epidemicsound/providers/github"
+          service_account: "sast-dast-sa@es-platform-staging-fc6c.iam.gserviceaccount.com"
+
+      - id: "secrets"
+        name: Access Snyk secret token
+        uses: "google-github-actions/get-secretmanager-secrets@v2"
+        with:
+          secrets: |-
+            token:es-platform-staging-fc6c/snyk-token-secret
+            
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+
+      - name: Add Snyk scan results to Snyk dashboard
+        run: snyk monitor -d --all-projects
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ steps.secrets.outputs.token }}
+
+      - name: Run Snyk to check for vulnerabilities
+        run: snyk test --severity-threshold=critical -d --all-projects
+        env:
+          SNYK_TOKEN: ${{ steps.secrets.outputs.token }}