Merge pull request #309 from cypress-io/SEC-229

admah · web-flow · commit 2adfce874876 · 2022-09-23T17:01:02.000-05:00
diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml
@@ -0,0 +1,32 @@
+name: Snyk Software Composition Analysis Scan
+# This git workflow leverages Snyk actions to perform a Software Composition 
+# Analysis scan on our Opensource libraries upon Pull Requests to Master & 
+# Develop branches. We use this as a control to prevent vulnerable packages 
+# from being introduced into the codebase. 
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches: 
+      - master
+jobs:
+  Snyk_SCA_Scan:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [16.x]
+    steps:
+      - uses: actions/checkout@v2
+      - name: Setting up Node
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Installing snyk-delta and dependencies
+        run: npm i -g snyk-delta
+      - uses: snyk/actions/setup@master
+      - name: Perform SCA Scan
+        continue-on-error: false
+        run: |
+          snyk test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=critical
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/snyk_static_analysis_scan.yaml b/.github/workflows/snyk_static_analysis_scan.yaml
@@ -0,0 +1,28 @@
+name: Snyk Static Analysis Scan
+# This git workflow leverages Snyk actions to perform a Static Application 
+# Testing scan (SAST) on our first-party code upon Pull Requests to Master & 
+# Develop branches. We use this as a control to prevent vulnerabilities 
+# from being introduced into the codebase. 
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches: 
+      - master
+jobs:
+  Snyk_SAST_Scan :
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: snyk/actions/setup@master
+      - name: Perform Static Analysis Test
+        continue-on-error: true
+        run: |
+          snyk code test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=high
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      # The Following Requires Advanced Security License
+      # - name: Upload results to Github Code Scanning
+      #   uses: github/codeql-action/upload-sarif@v1
+      #   with:
+      #     sarif_file: snyk_sarif
