Skip to content
Snyk Security

Update github/codeql-action digest to b8806ec #531

Sign in to view logs

Update github/codeql-action digest to b8806ec

Update github/codeql-action digest to b8806ec #531

Workflow file for this run

.github/workflows/snyk-security.yml at 479ea7b
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
# Snyk Container and Snyk Infrastructure as Code)
# The setup installs the Snyk CLI - for more details on the possible commands
# check https://docs.snyk.io/snyk-cli/cli-reference
# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
#
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/
name: Snyk Security
on:
push:
branches: ["main" ]
pull_request:
branches: ["main"]
permissions:
contents: read
jobs:
snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@cdb760004ba9ea4d525f2e043745dfe85bb9077e
with:
snyk-version: latest
- name: Set up Python
uses: actions/setup-python@5db1cf9a59fb97c40a68accab29236f0da7e94db
with:
python-version: '3.13.5'
- name: Create Sarif file's dir
run: mkdir sarif
- name: Install dependencies
run: |
if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
if [ -f Pipfile ]; then pip install pipenv && pipenv install --dev; fi
if [ -f pyproject.toml ]; then pip install poetry && poetry install; fi
- name: Run Snyk to check for vulnerabilities and output Sarif
uses: snyk/actions/python-3.10@cdb760004ba9ea4d525f2e043745dfe85bb9077e
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }}
with:
args: --sarif-file-output=sarif/snyk.sarif
- name: Run Snyk to check for vulnerabilities and monitor
uses: snyk/actions/python-3.10@cdb760004ba9ea4d525f2e043745dfe85bb9077e
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }}
with:
command: monitor
# Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
- name: Run Snyk Open Source Analysis and output Sarif
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }}
run: snyk test --all-projects --sarif-file-output=sarif/snyk-SCA.sarif
- name: Run Snyk Open Source Analysis and monitor
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }}
run: snyk test monitor --all-projects
# - name: Merge 2 Sarif reports
# uses: github/codeql-action/merge-results@latest
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@31d3ae847e3e655d6e31918ac1d8af398338a360
env:
SNYK_TOKEN: ${{ secrets.SNYK_SECRET_TOKEN }}
with:
sarif_file: sarif