Skip to content

[Snyk] Fix for 19 vulnerabilities #3095

[Snyk] Fix for 19 vulnerabilities

[Snyk] Fix for 19 vulnerabilities #3095

Workflow file for this run

name: Snyk Security Vulnerability Scan
on:
workflow_dispatch:
pull_request:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
branches:
- "main"
jobs:
snyk_scan_test:
if: ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
with:
fetch-depth: 0
- name: Check changed Deps files
uses: tj-actions/changed-files@v35
id: changed-files
with:
files: |
go.mod
ui/package-lock.json
website/package-lock.json
py/examples/requirements.txt
py/Makefile
- uses: snyk/actions/setup@master
- uses: actions/setup-go@v3
with:
go-version: "1.19.4"
- name: Snyk scan for Go dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'go.mod')
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
GOFLAGS="-e" snyk test --file=go.mod -d --fail-on=all
- name: Snyk scan for Node dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'ui/package-lock.json')
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --file=ui/package-lock.json -d --fail-on=all
- name: Snyk scan for Node dependencies
if: contains(steps.changed-files.outputs.all_changed_and_modified_files, 'website/package-lock.json')
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --file=website/package-lock.json -d --fail-on=all
- name: Check python deps files
id: changed-py-deps
if: |
contains(steps.changed-files.outputs.all_changed_and_modified_files, 'py/Makefile') ||
contains(steps.changed-files.outputs.all_changed_and_modified_files, 'py/examples/requirements.txt')
shell: bash
run: echo "any_changed=true" >> $GITHUB_OUTPUT
- uses: snyk/actions/setup@master
if: steps.changed-py-deps.outputs.any_changed == 'true'
- uses: actions/setup-python@v4
if: steps.changed-py-deps.outputs.any_changed == 'true'
with:
python-version: "3.8"
- name: pip install
if: steps.changed-py-deps.outputs.any_changed == 'true'
run: |
pip install setuptools wheel httpx uvicorn starlette pdoc3 pytest flake8
pip install -r py/examples/requirements.txt
pip freeze > py/requirements.txt
cat py/requirements.txt
- name: Snyk scan for Python dependencies
if: steps.changed-py-deps.outputs.any_changed == 'true'
run: snyk test --org=wave --remote-repo-url=wave/${{ steps.extract_ref.outputs.ref }} --file=py/requirements.txt --project-name=WAVE/wave/${{ steps.extract_ref.outputs.ref }}/py/requirements.txt -d --fail-on=all --policy-path=.snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
snyk_scan_monitor:
if: ${{ github.event_name == 'push' }}
runs-on: ubuntu-latest
steps:
- name: Extract github branch/tag name
shell: bash
run: echo "ref=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
id: extract_ref
- uses: actions/checkout@master
- uses: snyk/actions/setup@master
- uses: actions/setup-go@v3
with:
go-version: "1.19.4"
- name: Snyk scan for Go dependencies
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
GOFLAGS="-e" snyk monitor --org=wave --remote-repo-url=wave/${{ steps.extract_ref.outputs.ref }} --file=go.mod --project-name=WAVE/wave/${{ steps.extract_ref.outputs.ref }}/go.mod -d --fail-on=all
- name: Snyk scan for Node dependencies
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
args: --org=wave --remote-repo-url=wave/${{ steps.extract_ref.outputs.ref }} --file=ui/package-lock.json --project-name=WAVE/wave/${{ steps.extract_ref.outputs.ref }}/ui/package-lock.json -d --fail-on=all
- name: Snyk scan for Node dependencies
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
args: --org=wave --remote-repo-url=wave/${{ steps.extract_ref.outputs.ref }} --file=website/package-lock.json --project-name=WAVE/wave/${{ steps.extract_ref.outputs.ref }}/website/package-lock.json -d --fail-on=all
- uses: snyk/actions/setup@master
- uses: actions/setup-python@v4
with:
python-version: "3.8"
- name: Install python depedency packages to scan
run: |
pip install setuptools wheel httpx uvicorn starlette pdoc3 pytest flake8
pip install -r py/examples/requirements.txt
pip freeze > py/requirements.txt
cat py/requirements.txt
- name: Snyk scan for Python dependencies
run: snyk monitor --org=wave --remote-repo-url=wave/${{ steps.extract_ref.outputs.ref }} --file=py/requirements.txt --project-name=WAVE/wave/${{ steps.extract_ref.outputs.ref }}/py/requirements.txt -d --fail-on=all
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}