Skip to content

Commit

Permalink
Merge pull request #33 from radixdlt/DO-1664-snyk
Browse files Browse the repository at this point in the history 
[DO-1664] Snyk integration in Github workflows
  • Loading branch information
@marek-karwacki-rdx
marek-karwacki-rdx authored Aug 3, 2023
2 parents d22ac5b + 055f1bb commit fdd2138
Show file tree
Hide file tree
Showing 2 changed files with 142 additions and 0 deletions.
135 changes: 135 additions & 0 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,51 @@ on:
branches:
- main
jobs:
snyk-scan:
runs-on: ubuntu-latest
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-nodecli'
step_name: 'snyk-scan-deps-licenses'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Setup python
uses: actions/[email protected]
with:
python-version: 3.10.6
- name: Install pipenv
run: python -m pip install --upgrade pipenv wheel
- name: Install dependencies
run: |
cd ./node-runner-cli
pipenv install
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install Snyk cli
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Run Snyk to check for deps vulnerabilities
run: snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Snyk to check for code vulnerabilities
run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Test SBOM generation
run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json

package_ubuntu_cli:
name: "Package cli for Ubuntu"
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -96,6 +141,7 @@ jobs:
if: ${{ github.event_name == 'push' }}
needs:
- package_ubuntu_cli
- snyk-scan
permissions:
id-token: write
contents: read
Expand Down Expand Up @@ -135,6 +181,7 @@ jobs:
if: ${{ github.event_name == 'release' }}
needs:
- package_ubuntu_cli
- snyk-scan
steps:
- name: Download packaged cli
uses: actions/download-artifact@v3
Expand All @@ -151,11 +198,54 @@ jobs:
asset_content_type: application/octet-stream
if: ${{ github.event_name == 'release' }}

upload-sbom:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'release' }}
permissions: write-all
needs:
- package_ubuntu_cli
- snyk-scan
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-nodecli'
step_name: 'upload-sbom'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Setup python
uses: actions/[email protected]
with:
python-version: 3.10.6
- name: Install pipenv
run: python -m pip install --upgrade pipenv wheel
- name: Install dependencies
run: |
cd ./node-runner-cli
pipenv install
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install Snyk cli
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Generate SBOM
run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json
- name: Upload SBOM
uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2
with:
files: sbom.json
repo-token: ${{ secrets.GITHUB_TOKEN }}

upload-release-focal:
runs-on: ubuntu-20.04
if: ${{ github.event_name == 'release' }}
needs:
- package_ubuntu_cli
- snyk-scan
steps:
- name: Download packaged cli
uses: actions/download-artifact@v3
Expand All @@ -176,6 +266,7 @@ jobs:
runs-on: [node-only]

Check warning on line 266 in .github/workflows/ci.yml

View workflow job for this annotation

GitHub Actions / actionlint

[actionlint] .github/workflows/ci.yml#L266 

label "node-only" is unknown. available labels are "windows-latest", "windows-2022", "windows-2019", "windows-2016", "ubuntu-latest", "ubuntu-22.04", "ubuntu-20.04", "ubuntu-18.04", "macos-latest", "macos-12", "macos-12.0", "macos-11", "macos-11.0", "macos-10.15", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]
Raw output 
.github/workflows/ci.yml:266:15: label "node-only" is unknown. available labels are "windows-latest", "windows-2022", "windows-2019", "windows-2016", "ubuntu-latest", "ubuntu-22.04", "ubuntu-20.04", "ubuntu-18.04", "macos-latest", "macos-12", "macos-12.0", "macos-11", "macos-11.0", "macos-10.15", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file [runner-label]
needs:
- package_ubuntu_cli
- snyk-scan
steps:
- name: Checkout
uses: actions/[email protected]
Expand Down Expand Up @@ -252,6 +343,7 @@ jobs:
runs-on: ubuntu-22.04
needs:
- package_ubuntu_cli
- snyk-scan
steps:
- name: Checkout
uses: actions/[email protected]
Expand Down Expand Up @@ -340,6 +432,7 @@ jobs:
contents: read
needs:
- package_ubuntu_cli
- snyk-scan
steps:
- name: Checkout
uses: actions/[email protected]
Expand Down Expand Up @@ -425,6 +518,48 @@ jobs:
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}}
NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}}

snyk-monitor:
runs-on: ubuntu-latest
if: ${{ github.event_name == 'release' }}
needs:
- package_ubuntu_cli
- snyk-scan
permissions:
id-token: write
pull-requests: read
contents: read
deployments: write
steps:
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
with:
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
app_name: 'babylon-nodecli'
step_name: 'snyk-monitor'
secret_prefix: 'SNYK'
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
parse_json: true
- name: Setup python
uses: actions/[email protected]
with:
python-version: 3.10.6
- name: Install pipenv
run: python -m pip install --upgrade pipenv wheel
- name: Install dependencies
run: |
cd ./node-runner-cli
pipenv install
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Install Snyk cli
run: |
npm install snyk -g
snyk -v
snyk auth ${{ env.SNYK_TOKEN }}
- name: Enable Snyk online monitoring - Devops
run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --target-reference=${{ github.ref_name }}
- name: Enable Snyk online monitoring - Network
run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }}

# These do not run on Babylon
# test-core-api:
Expand Down
7 changes: 7 additions & 0 deletions .snyk
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
ignore: {}
patch: {}
exclude:
global:
- ./node-runner-cli/utils/utils.py

0 comments on commit fdd2138

Please sign in to comment.