-
Notifications
You must be signed in to change notification settings - Fork 0
168 lines (142 loc) · 5.22 KB
/
codeql.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: ESLint, Tests, and Snyk
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
schedule:
- cron: "30 15 * * 5"
jobs:
Eslint_QL:
name: Run ESLint scanning
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Node.js
uses: actions/setup-node@v3
- name: Install dependencies
run: npm ci
- name: Install ESLint
run: |
npm install eslint
npm install @microsoft/[email protected]
npm install @typescript-eslint/eslint-plugin
npm install @typescript-eslint/parser
npm install eslint-plugin-react
npm install eslint-config-prettier
- name: Run ESLint
run: |
npx eslint . --config .eslintrc.json --ext .js,.jsx,.ts,.tsx --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif
continue-on-error: true
- name: Fix SARIF file
run: |
node -e "
const fs = require('fs');
const sarif = JSON.parse(fs.readFileSync('eslint-results.sarif', 'utf8'));
sarif.runs[0].results.forEach(result => {
if (result.suppressions) {
result.suppressions = Array.from(new Set(result.suppressions.map(JSON.stringify))).map(JSON.parse);
}
});
fs.writeFileSync('eslint-results-fixed.sarif', JSON.stringify(sarif));
"
- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: eslint-results-fixed.sarif
wait-for-processing: true
Code_QL:
needs: Eslint_QL
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["javascript", "typescript"]
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
Run_Snyk_Tests:
needs: Code_QL
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Node.js
uses: actions/setup-node@v3
- name: Install dependencies
run: npm ci
- name: Install Snyk
run: npm install -g snyk
- name: Cache
uses: actions/[email protected]
continue-on-error: true
with:
# See here for caching with `yarn` https://github.com/actions/cache/blob/main/examples.md#node---yarn or you can leverage caching with actions/setup-node https://github.com/actions/setup-node
path: |
~/.npm
${{ github.workspace }}/.next/cache
# Generate a new cache whenever packages or source files change.
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
# If source files changed but packages didn't, rebuild from a prior cache.
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
with:
args: --all-projects --severity-threshold=high --json > snyk_report.json || true
- name: Ensure Snyk report exists
run: |
if [ ! -f snyk_report.json ]; then
echo "{}" > snyk_report.json && echo "Snyk report was not generated" && exit 1
fi
- name: Run Snyk to check for vulnerabilities
run: snyk code test --sarif > snyk-code.sarif || true
- name: Snyk IaC test and report
run: snyk iac test --report || true
- name: Upload Snyk report
uses: actions/upload-artifact@v2
with:
name: snyk_report
path: snyk_report.json
Run_App_Tests:
needs: Code_QL
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Node.js
uses: actions/setup-node@v3
- name: Install dependencies
run: npm ci
- name: Install Snyk
run: npm install -g snyk
- name: Cache
uses: actions/[email protected]
continue-on-error: true
with:
# See here for caching with `yarn` https://github.com/actions/cache/blob/main/examples.md#node---yarn or you can leverage caching with actions/setup-node https://github.com/actions/setup-node
path: |
~/.npm
${{ github.workspace }}/.next/cache
# Generate a new cache whenever packages or source files change.
key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
# If source files changed but packages didn't, rebuild from a prior cache.
restore-keys: |
${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-