Skip to content

Commit

Permalink
CI - Add Snyk Scanning
Browse files Browse the repository at this point in the history
This PR introduces a CI job to periodically scan the OpenVDB repository
for security vulernatiblities. This CI job requires coordination with
John Mertic (jmertic) and/or the OpenVDB maintainers to add both the
`SNYK_ORG` and `SNYK_TOKEN` GitHub secrets to the GitHub configuration.
Once these serets are added, then this PR can be merged with the
appropriate review/approvals. The Snyk tool can be run on the command
line at any time using:

```bash
snyk auth ${SNYK_TOKEN}

Your account has been authenticated. Snyk is now ready to be used.

snyk test --unmanaged --org=${SNYK_ORG}

Testing /Users/ddeal/projects/go/src/github.com/dealako/openvdb...

Tested 1 dependency for known issues, found 0 issues.

snyk monitor --unmanaged --org=${SNYK_ORG}

Monitoring /Users/ddeal/projects/go/src/github.com/dealako/openvdb (openvdb)...

Explore this snapshot at https://app.snyk.io/org/openvdb/project/${SNY_ORG}/history/4c82fd74-757b-40f3-8522-803ae4f84e0f

Notifications about newly disclosed issues related to these dependencies will be emailed to you.
```

Contact John Mertic (jmertic) to access the above secrets or to gain
access to the Snyk console.

Signed-off-by: David Deal <[email protected]>
  • Loading branch information
dealako committed Apr 26, 2024
1 parent 08409f0 commit 79758df
Showing 1 changed file with 44 additions and 0 deletions.
44 changes: 44 additions & 0 deletions .github/workflows/snyk-scan-cron.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
# SPDX-License-Identifier: BSD-3-Clause
# Copyright (c) Contributors to the OpenVDB Project.

name: Snyk Scan Code

on:
# https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions
schedule:
- cron: "0 4 * * 0"

permissions:
contents: read

jobs:
snyk-scan-pr:
runs-on: ubuntu-latest
if: github.repository == 'AcademySoftwareFoundation/openvdb'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- uses: snyk/actions/setup@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # master
id: snyk

- name: Snyk version
run: echo "${{ steps.snyk.outputs.version }}"

- name: Snyk Auth
run: snyk auth ${{ secrets.SNYK_TOKEN }}

- name: Snyk Scan Code
# Scan the C/C++ code for vulnerabilities using the Snyk CLI with the unmanaged flag
# https://docs.snyk.io/scan-using-snyk/supported-languages-and-frameworks/c-c++ for options
run: snyk test --unmanaged --print-dep-paths --org=${{ secrets.SNYK_ORG }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true # optional

- name: Monitor for Vulnerabilities
# To import the test results (issues and dependencies) in the Snyk CLI, run the snyk monitor --unmanaged command:
run: snyk monitor --unmanaged --org=${{ secrets.SNYK_ORG }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true # optional

0 comments on commit 79758df

Please sign in to comment.