Scan for Vulnerabilities + make PRs automatically

.github/workflows/snyk.yml

@@ -0,0 +1,66 @@
+---
+name: Check for Snyk Vulnerabilities
+
+on:   # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  # schedule:
+  #   - cron: '0 12 * * *'  # every day at 12pm UTC
+
+jobs:
+  snyk:
+    name: snyk test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install Dependencies
+        run: >
+          npm install snyk -g;
+          pip install -r requirements.txt;
+      - name: Run Snyk Scan
+        run: >
+          # Run scan
+          snyk test --file=requirements.txt --json-file-output=scan.json;
+
+          # Exit if no vulnerabilities
+          [[ "$(jq '.ok' scan.json)" == "true" ]] && exit 0;
+          while read -r fix
+          do
+            package=$(echo $fix | cut -d "=" -f 1)
+            sed -i "/${package}.*/d" ckan/requirements.in
+            sed -i "/${package}.*/d" ckan/requirements.txt
+            echo $fix >> ckan/requirements.in
+          done <<< $(jq -r '.vulnerabilities[] | .moduleName,.fixedIn[]'
+            scan.json | sed 'N;s/\n/>=/');
+
+          make update-dependencies;
+          exit 1
+      - name: Create Pull Request
+        if: ${{ failure() }}
+        id: scpr
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          commit-message: Update Pip Requirements
+          committer: Data.gov Github <[email protected]>
+          author: ${{ github.actor }} <[email protected]>
+          signoff: false
+          branch: example-patches
+          delete-branch: true
+          title: '[Snyk + GH Actions] Update requirements'
+          body: |
+            Update requirements
+            - Updated `requirements.in` + `requirements.txt`
+            - Auto-generated by [snyk.yml][1]
+
+            [1]: https://github.com/gsa/catalog.data.gov/\
+            .github/workflows/snyk.yml
+          labels: |
+            requirements
+            automated pr
+            snyk
+          reviewers: GSA/data-gov-team
+          team-reviewers: |
+            owners
+            maintainers
+          draft: false