|
1 | | -# A sample workflow which checks out your Infrastructure as Code Configuration files, |
2 | | -# such as Kubernetes, Helm & Terraform and scans them for any security issues. |
3 | | -# The results are then uploaded to GitHub Security Code Scanning |
4 | | -# |
5 | | -# For more examples, including how to limit scans to only high-severity issues |
6 | | -# and fail PR checks, see https://github.com/snyk/actions/ |
7 | | - |
8 | | -name: Snyk Infrastructure as Code |
| 1 | +name: Snyk Node Security Scan |
9 | 2 |
|
10 | 3 | on: |
11 | 4 | push: |
12 | 5 | branches: [ "main", "DSSRF_Branch_Rule" ] |
13 | 6 | pull_request: |
14 | | - # The branches below must be a subset of the branches above |
15 | 7 | branches: [ "main" ] |
16 | 8 | schedule: |
17 | | - - cron: '* * * * *' |
| 9 | + - cron: '0 0 * * *' |
18 | 10 |
|
19 | 11 | permissions: |
20 | 12 | contents: read |
21 | 13 |
|
22 | 14 | jobs: |
23 | 15 | snyk: |
24 | 16 | permissions: |
25 | | - contents: read # for actions/checkout to fetch code |
26 | | - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
27 | | - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
28 | | - runs-on: ubuntu-latest |
| 17 | + contents: read |
| 18 | + security-events: write |
| 19 | + actions: read |
| 20 | + runs-on: ubuntu-latest # Required to fix the job failure |
| 21 | + |
29 | 22 | steps: |
30 | | - - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 |
| 23 | + - name: Checkout Code |
| 24 | + uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # Pinned to specific SHA |
| 25 | + |
| 26 | + - name: Setup Node.js |
| 27 | + uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # Pinned to specific SHA |
| 28 | + with: |
| 29 | + node-version: '20' |
| 30 | + cache: 'npm' |
| 31 | + |
| 32 | + - name: Install Dependencies |
| 33 | + # This fixes the SNYK-CLI-0000 "Missing node_modules" error |
| 34 | + run: npm install |
| 35 | + |
31 | 36 | - name: Run Snyk to check for vulnerabilities |
32 | | - uses: snyk/actions/node@e2221410bff24446ba09102212d8bc75a567237d |
| 37 | + uses: snyk/actions/node@e2221410bff24446ba09102212d8bc75a567237d # Pinned to specific SHA |
33 | 38 | continue-on-error: true |
34 | 39 | env: |
35 | 40 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
36 | 41 | with: |
37 | 42 | args: --sarif-file-output=snyk-results.sarif |
| 43 | + |
| 44 | + - name: Upload result to GitHub Code Scanning |
| 45 | + uses: github/codeql-action/upload-sarif@7434149006143a4d75b82a2f411ef15b03ccc2d7 # Pinned to specific SHA |
| 46 | + if: always() |
| 47 | + with: |
| 48 | + sarif_file: snyk-results.sarif |
0 commit comments