-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #33 from radixdlt/DO-1664-snyk
[DO-1664] Snyk integration in Github workflows
- Loading branch information
Showing
2 changed files
with
142 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,51 @@ on: | |
branches: | ||
- main | ||
jobs: | ||
snyk-scan: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
id-token: write | ||
pull-requests: read | ||
contents: read | ||
deployments: write | ||
steps: | ||
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | ||
with: | ||
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | ||
app_name: 'babylon-nodecli' | ||
step_name: 'snyk-scan-deps-licenses' | ||
secret_prefix: 'SNYK' | ||
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | ||
parse_json: true | ||
- name: Setup python | ||
uses: actions/[email protected] | ||
with: | ||
python-version: 3.10.6 | ||
- name: Install pipenv | ||
run: python -m pip install --upgrade pipenv wheel | ||
- name: Install dependencies | ||
run: | | ||
cd ./node-runner-cli | ||
pipenv install | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Install Snyk cli | ||
run: | | ||
npm install snyk -g | ||
snyk -v | ||
snyk auth ${{ env.SNYK_TOKEN }} | ||
- name: Run Snyk to check for deps vulnerabilities | ||
run: snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Run Snyk to check for code vulnerabilities | ||
run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Test SBOM generation | ||
run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json | ||
|
||
package_ubuntu_cli: | ||
name: "Package cli for Ubuntu" | ||
runs-on: ubuntu-22.04 | ||
|
@@ -96,6 +141,7 @@ jobs: | |
if: ${{ github.event_name == 'push' }} | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
permissions: | ||
id-token: write | ||
contents: read | ||
|
@@ -135,6 +181,7 @@ jobs: | |
if: ${{ github.event_name == 'release' }} | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
steps: | ||
- name: Download packaged cli | ||
uses: actions/download-artifact@v3 | ||
|
@@ -151,11 +198,54 @@ jobs: | |
asset_content_type: application/octet-stream | ||
if: ${{ github.event_name == 'release' }} | ||
|
||
upload-sbom: | ||
runs-on: ubuntu-latest | ||
if: ${{ github.event_name == 'release' }} | ||
permissions: write-all | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
steps: | ||
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | ||
with: | ||
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | ||
app_name: 'babylon-nodecli' | ||
step_name: 'upload-sbom' | ||
secret_prefix: 'SNYK' | ||
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | ||
parse_json: true | ||
- name: Setup python | ||
uses: actions/[email protected] | ||
with: | ||
python-version: 3.10.6 | ||
- name: Install pipenv | ||
run: python -m pip install --upgrade pipenv wheel | ||
- name: Install dependencies | ||
run: | | ||
cd ./node-runner-cli | ||
pipenv install | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Install Snyk cli | ||
run: | | ||
npm install snyk -g | ||
snyk -v | ||
snyk auth ${{ env.SNYK_TOKEN }} | ||
- name: Generate SBOM | ||
run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json | ||
- name: Upload SBOM | ||
uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 | ||
with: | ||
files: sbom.json | ||
repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
upload-release-focal: | ||
runs-on: ubuntu-20.04 | ||
if: ${{ github.event_name == 'release' }} | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
steps: | ||
- name: Download packaged cli | ||
uses: actions/download-artifact@v3 | ||
|
@@ -176,6 +266,7 @@ jobs: | |
runs-on: [node-only] | ||
Check warning on line 266 in .github/workflows/ci.yml GitHub Actions / actionlint[actionlint] .github/workflows/ci.yml#L266
Raw output
|
||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
steps: | ||
- name: Checkout | ||
uses: actions/[email protected] | ||
|
@@ -252,6 +343,7 @@ jobs: | |
runs-on: ubuntu-22.04 | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
steps: | ||
- name: Checkout | ||
uses: actions/[email protected] | ||
|
@@ -340,6 +432,7 @@ jobs: | |
contents: read | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
steps: | ||
- name: Checkout | ||
uses: actions/[email protected] | ||
|
@@ -425,6 +518,48 @@ jobs: | |
NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} | ||
NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}} | ||
|
||
snyk-monitor: | ||
runs-on: ubuntu-latest | ||
if: ${{ github.event_name == 'release' }} | ||
needs: | ||
- package_ubuntu_cli | ||
- snyk-scan | ||
permissions: | ||
id-token: write | ||
pull-requests: read | ||
contents: read | ||
deployments: write | ||
steps: | ||
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | ||
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | ||
with: | ||
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | ||
app_name: 'babylon-nodecli' | ||
step_name: 'snyk-monitor' | ||
secret_prefix: 'SNYK' | ||
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | ||
parse_json: true | ||
- name: Setup python | ||
uses: actions/[email protected] | ||
with: | ||
python-version: 3.10.6 | ||
- name: Install pipenv | ||
run: python -m pip install --upgrade pipenv wheel | ||
- name: Install dependencies | ||
run: | | ||
cd ./node-runner-cli | ||
pipenv install | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
- name: Install Snyk cli | ||
run: | | ||
npm install snyk -g | ||
snyk -v | ||
snyk auth ${{ env.SNYK_TOKEN }} | ||
- name: Enable Snyk online monitoring - Devops | ||
run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --target-reference=${{ github.ref_name }} | ||
- name: Enable Snyk online monitoring - Network | ||
run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} | ||
|
||
# These do not run on Babylon | ||
# test-core-api: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. | ||
version: v1.25.0 | ||
ignore: {} | ||
patch: {} | ||
exclude: | ||
global: | ||
- ./node-runner-cli/utils/utils.py |