ci: replace security-severity for license-related findings in snyk #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Snyk vulnerability scan | ||
| on: | ||
| workflow_call: | ||
| secrets: | ||
| SNYK_API_TOKEN: | ||
| required: true | ||
| jobs: | ||
| snyk: | ||
| name: Run Snyk vulnerability scan | ||
| runs-on: ubuntu-24.04 | ||
| timeout-minutes: 10 | ||
| permissions: | ||
| security-events: write | ||
| contents: read | ||
| actions: read | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }} | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| - name: Setup Snyk CLI | ||
| uses: snyk/actions/setup@master | ||
| - name: Setup .NET | ||
| uses: actions/setup-dotnet@v4 | ||
| with: | ||
| dotnet-version: 8.0 | ||
| - name: Setup Java | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| java-version: 21 | ||
| distribution: temurin | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20 | ||
| - name: Setup Go | ||
| uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: 1.22 | ||
| - name: Restore .NET projects | ||
| run: for PROJECT in $(find . -name *.csproj); do dotnet restore $PROJECT; done | ||
| - name: Run Snyk test | ||
| run: snyk test --all-projects --sarif-file-output=result.sarif --severity-threshold=medium | ||
| - name: Replace security-severity undefined for license-related findings | ||
| run: sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif | ||
| - name: Upload result to GitHub Code Scanning | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| if: always() | ||
| continue-on-error: true | ||
| with: | ||
| sarif_file: result.sarif | ||
| category: Snyk | ||
| - name: Run Snyk monitor | ||
| if: github.ref_name == 'master' || github.ref_name == 'main' | ||
| run: snyk monitor --all-projects | ||
