-
Notifications
You must be signed in to change notification settings - Fork 106
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #590 from cypress-io/SEC-229
- Loading branch information
Showing
2 changed files
with
62 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
name: Snyk Software Composition Analysis Scan | ||
# This git workflow leverages Snyk actions to perform a Software Composition | ||
# Analysis scan on our Opensource libraries upon Pull Requests to Master & | ||
# Develop branches. We use this as a control to prevent vulnerable packages | ||
# from being introduced into the codebase. | ||
on: | ||
pull_request_target: | ||
types: | ||
- opened | ||
branches: | ||
- master | ||
- develop | ||
jobs: | ||
Snyk_SCA_Scan: | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
node-version: [16.x] | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- name: Setting up Node | ||
uses: actions/setup-node@v1 | ||
with: | ||
node-version: ${{ matrix.node-version }} | ||
- name: Installing snyk-delta and dependencies | ||
run: npm i -g snyk-delta | ||
- uses: snyk/actions/setup@master | ||
- name: Perform SCA Scan | ||
continue-on-error: false | ||
run: | | ||
snyk test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=critical | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
name: Snyk Static Analysis Scan | ||
# This git workflow leverages Snyk actions to perform a Static Application | ||
# Testing scan (SAST) on our first-party code upon Pull Requests to Master & | ||
# Develop branches. We use this as a control to prevent vulnerabilities | ||
# from being introduced into the codebase. | ||
on: | ||
pull_request_target: | ||
types: | ||
- opened | ||
branches: | ||
- master | ||
- develop | ||
jobs: | ||
Snyk_SAST_Scan : | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: snyk/actions/setup@master | ||
- name: Perform Static Analysis Test | ||
continue-on-error: true | ||
run: | | ||
snyk code test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=high | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
# The Following Requires Advanced Security License | ||
# - name: Upload results to Github Code Scanning | ||
# uses: github/codeql-action/upload-sarif@v1 | ||
# with: | ||
# sarif_file: snyk_sarif |