diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml new file mode 100644 index 00000000..b86dcd46 --- /dev/null +++ b/.github/workflows/scheduled-snyk-docker.yaml @@ -0,0 +1,37 @@ +name: Snyk scheduled Docker base image scan + +on: + schedule: + - cron: '0 3 * * 1' + workflow_dispatch: + +env: + DOCKER_IMAGE: radarbase/radar-backend + +jobs: + security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.DOCKER_IMAGE }} + args: >- + --file=Dockerfile + --fail-on=upgradable + --severity-threshold=high + --policy-path=.snyk + --exclude-app-vulns + --org=radar-base + --sarif-file-output=snyk.sarif + + # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab + - name: Upload Fitbit result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif \ No newline at end of file diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml new file mode 100644 index 00000000..bbe34f2b --- /dev/null +++ b/.github/workflows/scheduled-snyk.yaml @@ -0,0 +1,38 @@ +name: Snyk scheduled code base scan + +on: + schedule: + - cron: '0 2 * * 1' + workflow_dispatch: + +jobs: + security: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node + with: + node-version: 16 + cache: npm + + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: >- + --all-projects + --configuration-matching='^runtimeClasspath$' + --fail-on=upgradable + --severity-threshold=high + --policy-path=.snyk + --org=radar-base + --sarif-file-output=snyk.sarif + + # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml new file mode 100644 index 00000000..4aa6939e --- /dev/null +++ b/.github/workflows/snyk.yaml @@ -0,0 +1,27 @@ +name: Snyk test on PR commits + +on: + pull_request: + branches: + - main + - dev + - release-* + +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: >- + --all-projects + --configuration-matching="^runtimeClasspath$" + --severity-threshold=high + --fail-on=upgradable + --org=radar-base + --policy-path=.snyk diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..2b62034f --- /dev/null +++ b/.snyk @@ -0,0 +1,5 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: +patch: {} diff --git a/build.gradle b/build.gradle index 513e1bd9..42e1fb55 100644 --- a/build.gradle +++ b/build.gradle @@ -1,9 +1,19 @@ +buildscript { + repositories { + maven { + url = uri("https://plugins.gradle.org/m2/") + } + maven { + url = uri("https://nexus.web.cern.ch/nexus/content/repositories/public/") + } + } +} + plugins { // Apply the java plugin to add support for Java id 'java' id 'application' - id 'com.jfrog.bintray' version '1.8.1' apply false - + id 'com.jfrog.bintray' version '1.8.5' apply false } //---------------------------------------------------------------------------//