-
Notifications
You must be signed in to change notification settings - Fork 0
98 lines (86 loc) · 3.31 KB
/
quality-security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: Code Quality & Security
on:
push:
branches: ["main"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["main"]
jobs:
eslint-prettier:
name: Format and Lint
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Prettier and ESLint
run: |
npm install [email protected]
npm install [email protected]
npm install @microsoft/[email protected]
- name: Run Prettier
run: npx prettier . --check
continue-on-error: true
- name: Run ESLint
run: npx eslint .
--config .eslintrc.cjs
--ext .js,.jsx,.ts,.tsx
--format @microsoft/eslint-formatter-sarif
--output-file eslint-results.sarif
continue-on-error: true
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: eslint-results.sarif
wait-for-processing: true
snyk:
needs: eslint-prettier
name: Security Scan
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Authenticate snyk
run: snyk auth "$SNYK_TOKEN"
env:
# This is where you will need to introduce the Snyk API token created with your Snyk account
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Runs Snyk Code (SAST) analysis and uploads result into GitHub.
# Use || true to not fail the pipeline
- name: Snyk Code test
run: snyk code test --sarif --org=ignorant-view > snyk-code.sarif # || true
continue-on-error: true
# Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
- name: Snyk Open Source monitor
run: |
npm ci
snyk monitor --org=ignorant-view
continue-on-error: true
# Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
# Use || true to not fail the pipeline.
# - name: Snyk IaC test and report
# run: snyk iac test --report # || true
# Build the docker image for testing
- name: Build a Docker image
run: docker build -t theignorantview/skillanthropy .
continue-on-error: true
# Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
- name: Snyk Container monitor
run: snyk container monitor theignorantview/skillanthropy --file=Dockerfile --org=ignorant-view
continue-on-error: true
# Push the Snyk Code results into GitHub Code Scanning tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk-code.sarif