Merge pull request #2 from dlnsec/update-gh-actions #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Snyk Code Scanning Security Analysis | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout code | |
| - uses: actions/checkout@v4 | |
| # Setup JDK 21 for Gradle to support Snyk Action | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: "21" | |
| distribution: "adopt" # See 'Supported distributions' for available options | |
| # Run Gradle wrapper to generate required gradle-wrapper.jar | |
| - name: Run Gradle wrapper to generate gradle-wrapper.jar | |
| run: gradle wrapper | |
| # Install Gradle dependencies | |
| - name: Install Gradle dependencies | |
| run: ./gradlew build --no-daemon | |
| # List installed dependencies | |
| - name: List installed dependencies | |
| run: ./gradlew dependencies | |
| # Install Snyk CLI | |
| - name: Install Snyk CLI | |
| run: npm install -g snyk | |
| # Check Snyk CLI version | |
| - name: Check Snyk CLI version | |
| run: snyk --version | |
| # Run Snyk on project | |
| # exit code 0: No vulnerabilities found | |
| # exit code 1: Vulnerabilities found | |
| # exit code 2: An error occurerd | |
| - name: Run Snyk on project | |
| run: snyk test --file=app/build.gradle.kts --severity-threshold=high --sarif-file-output=_snyk_report.sarif | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| continue-on-error: false # fail on exit code 2 | |
| # Install jq to parse Snyk report | |
| - name: Install jq | |
| run: sudo apt-get install jq | |
| # Replace security-severity undefined for license-related findings known issue with Snyk Action | |
| - name: Replace security-severity undefined for license-related findings | |
| run: | | |
| jq 'walk(if type == "object" and .["security-severity"] == "undefined" then .["security-severity"] = "0" else . end)' _snyk_report.sarif > snyk_report.sarif | |
| # Upload sarif results to GitHub | |
| - name: Upload sarif results to GitHub | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: snyk_report.sarif | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |