From 63c4e9bc7674727613cf4edd04dc3ef57e52e6e0 Mon Sep 17 00:00:00 2001 From: "Patrick F. Marques" Date: Sun, 8 Dec 2024 20:53:39 +0000 Subject: [PATCH 1/2] Snyk test k8s IAC --- .github/workflows/snyk-iac.yml | 38 ++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/snyk-iac.yml diff --git a/.github/workflows/snyk-iac.yml b/.github/workflows/snyk-iac.yml new file mode 100644 index 0000000..94df3b2 --- /dev/null +++ b/.github/workflows/snyk-iac.yml @@ -0,0 +1,38 @@ +name: Snyk scan + +on: + push: + branches: + - 'master' + pull_request: + branches: + - master + +permissions: + contents: read + +jobs: + security: + runs-on: ubuntu-24.04 + + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Run Snyk to check IAC + uses: snyk/actions/iac@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0 + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + file: k8s + args: --sarif-file-output=snyk.sarif + + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + with: + sarif_file: snyk.sarif From 49fb447db5f33da10076c727aa59bd9ac4237eeb Mon Sep 17 00:00:00 2001 From: "Patrick F. Marques" Date: Sun, 8 Dec 2024 20:54:55 +0000 Subject: [PATCH 2/2] Only run on k8s changes --- .github/workflows/snyk-iac.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/snyk-iac.yml b/.github/workflows/snyk-iac.yml index 94df3b2..1002c3d 100644 --- a/.github/workflows/snyk-iac.yml +++ b/.github/workflows/snyk-iac.yml @@ -4,9 +4,13 @@ on: push: branches: - 'master' + paths: + - 'k8s/**' pull_request: branches: - master + paths: + - 'k8s/**' permissions: contents: read