From 79758dff1de84966cb9da7e98dffdd322b73d265 Mon Sep 17 00:00:00 2001 From: David Deal Date: Fri, 26 Apr 2024 13:19:37 -0700 Subject: [PATCH] CI - Add Snyk Scanning This PR introduces a CI job to periodically scan the OpenVDB repository for security vulernatiblities. This CI job requires coordination with John Mertic (jmertic) and/or the OpenVDB maintainers to add both the `SNYK_ORG` and `SNYK_TOKEN` GitHub secrets to the GitHub configuration. Once these serets are added, then this PR can be merged with the appropriate review/approvals. The Snyk tool can be run on the command line at any time using: ```bash snyk auth ${SNYK_TOKEN} Your account has been authenticated. Snyk is now ready to be used. snyk test --unmanaged --org=${SNYK_ORG} Testing /Users/ddeal/projects/go/src/github.com/dealako/openvdb... Tested 1 dependency for known issues, found 0 issues. snyk monitor --unmanaged --org=${SNYK_ORG} Monitoring /Users/ddeal/projects/go/src/github.com/dealako/openvdb (openvdb)... Explore this snapshot at https://app.snyk.io/org/openvdb/project/${SNY_ORG}/history/4c82fd74-757b-40f3-8522-803ae4f84e0f Notifications about newly disclosed issues related to these dependencies will be emailed to you. ``` Contact John Mertic (jmertic) to access the above secrets or to gain access to the Snyk console. Signed-off-by: David Deal --- .github/workflows/snyk-scan-cron.yml | 44 ++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/snyk-scan-cron.yml diff --git a/.github/workflows/snyk-scan-cron.yml b/.github/workflows/snyk-scan-cron.yml new file mode 100644 index 0000000000..b9ca332dbf --- /dev/null +++ b/.github/workflows/snyk-scan-cron.yml @@ -0,0 +1,44 @@ +--- +# SPDX-License-Identifier: BSD-3-Clause +# Copyright (c) Contributors to the OpenVDB Project. + +name: Snyk Scan Code + +on: + # https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions + schedule: + - cron: "0 4 * * 0" + +permissions: + contents: read + +jobs: + snyk-scan-pr: + runs-on: ubuntu-latest + if: github.repository == 'AcademySoftwareFoundation/openvdb' + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: snyk/actions/setup@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # master + id: snyk + + - name: Snyk version + run: echo "${{ steps.snyk.outputs.version }}" + + - name: Snyk Auth + run: snyk auth ${{ secrets.SNYK_TOKEN }} + + - name: Snyk Scan Code + # Scan the C/C++ code for vulnerabilities using the Snyk CLI with the unmanaged flag + # https://docs.snyk.io/scan-using-snyk/supported-languages-and-frameworks/c-c++ for options + run: snyk test --unmanaged --print-dep-paths --org=${{ secrets.SNYK_ORG }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + continue-on-error: true # optional + + - name: Monitor for Vulnerabilities + # To import the test results (issues and dependencies) in the Snyk CLI, run the snyk monitor --unmanaged command: + run: snyk monitor --unmanaged --org=${{ secrets.SNYK_ORG }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + continue-on-error: true # optional