forked from alexeisnyk/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 2
146 lines (139 loc) · 4.11 KB
/
on-pr.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: On Pull Request
run-name: PR #${{ github.event.number }}
on: [pull_request, workflow_dispatch]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}
jobs:
oss-assessment:
permissions: write-all
name: Open Source Assessment
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
name: Run Snyk to check for Open Source vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
with:
args: --all-projects --org=$SNYK_ORG_ID --json-file-output=oss-results.json
-
uses: actions/setup-node@v3
-
run: npm install -g snyk-to-html
-
run: cat oss-results.json | snyk-to-html > oss-results.html
-
uses: actions/upload-artifact@v3
with:
name: oss-results
path: oss-results.html
code-assessment:
needs: oss-assessment
permissions: write-all
name: SAST Assessment
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
uses: snyk/actions/setup@master
-
name: Run Snyk to check for Static Application Security Testing Findings
continue-on-error: true
run: snyk code test --org=$SNYK_ORG_ID -json-file-output=code-results.json
-
uses: actions/setup-node@v3
-
run: npm install -g snyk-to-html
-
run: cat code-results.json | snyk-to-html > code-results.html
-
uses: actions/upload-artifact@v3
with:
name: code-results
path: code-results.html
container-assessment:
needs: code-assessment
permissions: write-all
name: Container Assessment
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
name: Build the container image
run: docker build -t raphabot/juice-shop:test .
-
name: Run Snyk to check container image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
with:
image: raphabot/juice-shop:test
args: --file=Dockerfile --org=$SNYK_ORG_ID --json-file-output=container-results.json
-
uses: actions/setup-node@v3
-
run: npm install -g snyk-to-html
-
run: cat container-results.json | snyk-to-html > container-results.html
-
uses: actions/upload-artifact@v3
with:
name: container-results
path: container-results.html
kubernetes-artifact-assessment:
needs: container-assessment
permissions: write-all
name: Kubernetes Artifact Assessment
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
name: Run Snyk to check Kubernetes Artificat misconfigurations
continue-on-error: true
uses: snyk/actions/iac@master
with:
args: ./k8s-src --org=$SNYK_ORG_ID --json-file-output=k8s-results.json
-
uses: actions/setup-node@v3
-
run: npm install -g snyk-to-html
-
run: cat k8s-results.json | snyk-to-html > k8s-results.html
-
uses: actions/upload-artifact@v3
with:
name: k8s-results
path: k8s-results.html
terraform-assessment:
needs: kubernetes-artifact-assessment
permissions: write-all
name: Terraform Assessment
runs-on: ubuntu-latest
steps:
-
uses: actions/checkout@v3
-
uses: hashicorp/setup-terraform@v2
-
run: terraform init
-
name: Run Snyk to check AWS misconfigurations in Terraform IaC
continue-on-error: true
uses: snyk/actions/iac@master
with:
args: --org=$SNYK_ORG_ID --json-file-output=terraform-results.json
-
uses: actions/setup-node@v3
-
run: npm install -g snyk-to-html
-
run: cat terraform-results.json | snyk-to-html > terraform-results.html
-
uses: actions/upload-artifact@v3
with:
name: terraform-results
path: terraform-results.html