Skip to content

Commit

Permalink
Add Snyk scan check
Browse files Browse the repository at this point in the history 
Also check that repos have snyk scnas in their CI pipelines.
  • Loading branch information
@MuriloDalRi
MuriloDalRi committed Dec 28, 2023
1 parent fe4b349 commit 4da9743
Show file tree
Hide file tree
Showing 3 changed files with 4 additions and 3 deletions.
3 changes: 2 additions & 1 deletion lib/github_fetcher.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,9 @@ def has_sca_sast_scans?(repo)
ci_file = Base64.decode64(github.contents("#{organisation}/#{repo}", path: ".github/workflows/ci.yml").content)
sca_string = "uses: alphagov/govuk-infrastructure/.github/workflows/dependency-review.yml@main"
sast_string = "uses: alphagov/govuk-infrastructure/.github/workflows/codeql-analysis.yml@main"
snyk_string = "uses: alphagov/govuk-infrastructure/.github/workflows/snyk-security.yml@main"

ci_file.include?(sca_string) && ci_file.include?(sast_string)
ci_file.include?(sca_string) && ci_file.include?(sast_string) && ci_file.include?(snyk_string)
rescue Octokit::NotFound => e
true # if a CI file is not present assume no scans are needed
end
Expand Down
2 changes: 1 addition & 1 deletion spec/github_fetcher_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@

describe "CI checks" do
let(:bad_ci_file) { double(Sawyer::Resource, content: "rubbish") }
let(:good_ci_file) { double(Sawyer::Resource, content: "dXNlczogYWxwaGFnb3YvZ292dWstaW5mcmFzdHJ1Y3R1cmUvLmdpdGh1Yi93\nb3JrZmxvd3MvZGVwZW5kZW5jeS1yZXZpZXcueW1sQG1haW4KdXNlczogYWxw\naGFnb3YvZ292dWstaW5mcmFzdHJ1Y3R1cmUvLmdpdGh1Yi93b3JrZmxvd3Mv\nY29kZXFsLWFuYWx5c2lzLnltbEBtYWluCg==\n") }
let(:good_ci_file) { double(Sawyer::Resource, content: "ZFhObGN6b2dZV3h3YUdGbmIzWXZaMjkyZFdzdGFXNW1jbUZ6ZEhKMVkzUjFj\nbVV2TG1kcGRHaDFZaTkzCmIzSnJabXh2ZDNNdlpHVndaVzVrWlc1amVTMXla\nWFpwWlhjdWVXMXNRRzFoYVc0S2RYTmxjem9nWVd4dwphR0ZuYjNZdloyOTJk\nV3N0YVc1bWNtRnpkSEoxWTNSMWNtVXZMbWRwZEdoMVlpOTNiM0pyWm14dmQz\nTXYKWTI5a1pYRnNMV0Z1WVd4NWMybHpMbmx0YkVCdFlXbHVDZz09Cg==\n") }
let(:use_labels) { false }
let(:repos) { %w[repo1] }

Expand Down
2 changes: 1 addition & 1 deletion templates/list_ci_issues.text.erb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
The following repos are missing <<%= "https://docs.publishing.service.gov.uk/manual/dependency-review.html" %>|<%= html_encode("SCA") %>> and <<%= "https://docs.publishing.service.gov.uk/manual/codeql.html" %>|<%= html_encode("SAST") %>> scans in their CI pipelines (.github/workflows/ci.yml):
Please check that the following repos have <<%= "https://docs.publishing.service.gov.uk/manual/dependency-review.html" %>|<%= html_encode("SCA") %>>, <<%= "https://docs.publishing.service.gov.uk/manual/codeql.html" %>|<%= html_encode("SAST") %>> and <<%= "https://docs.publishing.service.gov.uk/manual/snyk.html" %>|<%= html_encode("SNYK") %>> scans in their CI pipelines (.github/workflows/ci.yml):
<% @repos.each do |repo| -%>
<<%= "https://github.com/alphagov/#{repo}" %>|<%= html_encode(repo) %>>
<% end -%>

0 comments on commit 4da9743

Please sign in to comment.