New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds generic sbt node snyk workflow #11
Merged
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
5ad3553
Adds generic sbt node snyk workflow
SHession 2d42b44
Sets Java version to 11 and simplifies node version retrieval
SHession 165178a
Adds java_version input to the snyk workflow
SHession 8d51820
Make org required
jorgeazevedo 1c7bd54
Simplify handling of ORG variable
jorgeazevedo 9b44635
Handle org whitespace
jorgeazevedo 7c34166
rearranges cli arguments
SHession File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
name: Simple Snyk monitor for SBT + Node | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
DEBUG: | ||
type: string | ||
required: false | ||
ORG: | ||
type: string | ||
required: true | ||
JAVA_VERSION: | ||
type: string | ||
required: false | ||
default: "11" | ||
secrets: | ||
SNYK_TOKEN: | ||
required: true | ||
|
||
jobs: | ||
security: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout branch | ||
uses: actions/checkout@v2 | ||
|
||
- uses: snyk/actions/setup@0.3.0 | ||
- uses: actions/setup-node@v2 | ||
with: | ||
node-version-file: '.nvmrc' | ||
|
||
- uses: actions/setup-java@v2 | ||
with: | ||
java-version: ${{ inputs.JAVA_VERSION }} | ||
distribution: "adopt" | ||
|
||
- name: Snyk monitor | ||
run: snyk monitor ${INPUT_DEBUG:+ -d} --all-projects --org="${{ inputs.ORG }}" | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
INPUT_DEBUG: ${{ inputs.DEBUG }} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see in https://github.com/guardian/workflow-frontend/pull/356/files we're setting this up to be called on push to any branch. I think the guidance in the past has been to run
synk test
for branches andsynk monitor
only onmain
, so that the continuously monitored application in snyk ismain
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jfsoul, this is a good point. Our workflows diverged from that recommendation due to failing checks against PRs which were nothing to do with the content of the PR. As many of our projects have outstanding vulnerabilities which need resolving, the test function would always provide a failing result. This was unhelpful and indicated an issue to developers unfamiliar with this process. As it represented a problem with overall codebase and not the PR specifically we felt it wasn't relevant to have as a PR check.
We therefore thought it would be preferable to exclude the test check and only run monitor, the results of which can be reviewed in the Snyk dashboard. It would be interesting to know how other teams addressed these concerns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After discussing offline I realise now that workflow-frontend will actually only be running this workflow on pushes to main - we've just commented that restriction out for testing. I do think there's value in
snyk test
for at least some teams, but I think this is an area that needs more thought before we can form a solid recommendation.