diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 00000000..752045ee --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,66 @@ +--- +name: Check for Snyk Vulnerabilities + +on: # yamllint disable-line rule:truthy + workflow_dispatch: + # schedule: + # - cron: '0 12 * * *' # every day at 12pm UTC + +jobs: + snyk: + name: snyk test + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Install Dependencies + run: > + npm install snyk -g; + pip install -r requirements.txt; + - name: Run Snyk Scan + run: > + # Run scan + snyk test --file=requirements.txt --json-file-output=scan.json; + + # Exit if no vulnerabilities + [[ "$(jq '.ok' scan.json)" == "true" ]] && exit 0; + while read -r fix + do + package=$(echo $fix | cut -d "=" -f 1) + sed -i "/${package}.*/d" ckan/requirements.in + sed -i "/${package}.*/d" ckan/requirements.txt + echo $fix >> ckan/requirements.in + done <<< $(jq -r '.vulnerabilities[] | .moduleName,.fixedIn[]' + scan.json | sed 'N;s/\n/>=/'); + + make update-dependencies; + exit 1 + - name: Create Pull Request + if: ${{ failure() }} + id: scpr + uses: peter-evans/create-pull-request@v4 + with: + token: ${{ secrets.ADD_TO_PROJECT_PAT }} + commit-message: Update Pip Requirements + committer: Data.gov Github + author: ${{ github.actor }} + signoff: false + branch: example-patches + delete-branch: true + title: '[Snyk + GH Actions] Update requirements' + body: | + Update requirements + - Updated `requirements.in` + `requirements.txt` + - Auto-generated by [snyk.yml][1] + + [1]: https://github.com/gsa/catalog.data.gov/\ + .github/workflows/snyk.yml + labels: | + requirements + automated pr + snyk + reviewers: GSA/data-gov-team + team-reviewers: | + owners + maintainers + draft: false