Test dependencies with Snyk #597
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test dependencies with Snyk | |
on: | |
# Run this check every day at 03:00 to find potential new vulnerabilities in the develop branch | |
schedule: | |
- cron: "0 3 * * *" | |
jobs: | |
snyk-test: | |
runs-on: self-hosted | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
with: | |
ref: develop | |
- name: Build HORNET Docker image | |
run: docker build . --file Dockerfile --tag hornet:latest | |
- name: Run Snyk to check for Golang vulnerabilities | |
uses: snyk/actions/golang@0.4.0 | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
args: --org=gohornet --sarif-file-output=snyk-golang.sarif | |
- name: Run Snyk to check for Docker image vulnerabilities | |
uses: snyk/actions/docker@0.4.0 | |
continue-on-error: true | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: hornet:latest | |
# Exclude Go app vulns because those are picked up by the previous scan | |
# For Docker scans, the SARIF is created by default | |
args: --org=gohornet --file=Dockerfile --exclude-app-vulns | |
- name: Upload Golang results to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: snyk-golang.sarif | |
category: snyk-golang | |
- name: Upload Docker results to GitHub Code Scanning | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: snyk.sarif | |
category: snyk-docker |