Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: 🧷 Create snyk-security.yml #1406

Merged
merged 1 commit into from
Jul 14, 2024
Merged

ci: 🧷 Create snyk-security.yml #1406

merged 1 commit into from
Jul 14, 2024

Conversation

Anselmoo
Copy link
Owner

@Anselmoo Anselmoo commented Jul 14, 2024

All PR-Submissions:


  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open
    Pull Requests for the same
    update/change?

New ✨✨ Feature-Submissions:


  • Does your submission pass tests?
  • Have you lint your code locally prior to submission? Fixed:
  • This PR is for a new feature, not a bug fix.

Changes to ⚙️ Core-Features:


  • Have you added an explanation of what your changes do and why you'd like
    us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully run tests with your changes locally?

Summary by Sourcery

This pull request introduces a new GitHub Actions workflow to integrate Snyk security scanning into the CI pipeline. The workflow will analyze code, open source dependencies, containers, and infrastructure as code for security issues, and upload the results to GitHub Security Code Scanning.

  • CI:
    • Added a new GitHub Actions workflow to integrate Snyk security scanning for code, open source dependencies, containers, and infrastructure as code.

Copy link

Review changes with SemanticDiff.

Copy link
Contributor

sourcery-ai bot commented Jul 14, 2024

Reviewer's Guide by Sourcery

This pull request introduces a new GitHub Actions workflow file named snyk-security.yml to integrate Snyk security scanning into the CI pipeline. The workflow is designed to run on pushes to the main and gh-pages branches, as well as on pull requests targeting the main branch. It sets up the Snyk CLI to perform various security analyses, including SAST, SCA, IaC, and container security scans, and uploads the results to GitHub Security Code Scanning and Snyk.

File-Level Changes

Files Changes
.github/workflows/snyk-security.yml Introduced a new GitHub Actions workflow for comprehensive Snyk security scanning, including SAST, SCA, IaC, and container security analyses, with results uploaded to GitHub Security Code Scanning and Snyk.

Tips
  • Trigger a new Sourcery review by commenting @sourcery-ai review on the pull request.
  • Continue your discussion with Sourcery by replying directly to review comments.
  • You can change your review settings at any time by accessing your dashboard:
    • Enable or disable the Sourcery-generated pull request summary or reviewer's guide;
    • Change the review language;
  • You can always contact us if you have any questions or feedback.

@Anselmoo Anselmoo enabled auto-merge July 14, 2024 18:53
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @Anselmoo - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

  • Docker build command syntax issue (link)
Here's what I looked at during the review
  • 🔴 General issues: 1 blocking issue, 5 other issues
  • 🟢 Security: all looks good
  • 🟢 Testing: all looks good
  • 🟢 Complexity: all looks good
  • 🟢 Documentation: all looks good

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.


on:
push:
branches: ["main", "gh-pages"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (performance): Consider limiting branch triggers

Triggering the workflow on every push to 'main' and 'gh-pages' might be too broad. Consider limiting it to specific branches or tags to avoid unnecessary runs.

Suggested change
branches: ["main", "gh-pages"]
branches:
- main
- gh-pages
- 'releases/*'

run: snyk iac test --report # || true

# Build the docker image for testing
- name: Build a Docker image
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Docker build command syntax issue

The Docker build command should be docker build -t <tag> . instead of docker build -t ./Dockerfile .. The -t flag is for tagging the image, not specifying the Dockerfile.

# Runs Snyk Code (SAST) analysis and uploads result into GitHub.
# Use || true to not fail the pipeline
- name: Snyk Code test
run: snyk code test --sarif > snyk-code.sarif # || true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Consider handling Snyk command failures

Using || true to ignore failures might hide critical issues. Consider handling failures more gracefully or logging them for further inspection.

Suggested change
run: snyk code test --sarif > snyk-code.sarif # || true
run: |
snyk code test --sarif > snyk-code.sarif || {
echo "Snyk Code test failed. Please check the logs for more details.";
exit 1;
}

# Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
# Use || true to not fail the pipeline.
- name: Snyk IaC test and report
run: snyk iac test --report # || true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Consider handling Snyk IaC command failures

Using || true to ignore failures might hide critical issues. Consider handling failures more gracefully or logging them for further inspection.

Suggested change
run: snyk iac test --report # || true
run: |
snyk iac test --report || echo "Snyk IaC test failed, but continuing pipeline" >> snyk_iac_errors.log

run: docker build -t ./Dockerfile .
# Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
- name: Snyk Container monitor
run: snyk container monitor ./Dockerfile --file=Dockerfile
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Redundant Dockerfile path

The --file=Dockerfile flag is redundant when the Dockerfile is in the default location. Consider removing it for simplicity.

Suggested change
run: snyk container monitor ./Dockerfile --file=Dockerfile
run: snyk container monitor ./Dockerfile

- name: Set up Snyk CLI to check for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the SAST issues to GitHub Code Scanning
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Pinning actions to a specific commit

Pinning actions to a specific commit ensures stability but might miss out on important updates. Consider using a version tag for a balance between stability and updates.

Suggested change
uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
uses: snyk/actions/setup@v1

Copy link

@github-actions github-actions bot added the github-actions Pull requests that update Github_actions code label Jul 14, 2024
Copy link

codecov bot commented Jul 14, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (acf6f83) to head (c9d35b7).

Additional details and impacted files
@@            Coverage Diff            @@
##              main     #1406   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           44        44           
  Lines         4467      4467           
=========================================
  Hits          4467      4467           
Flag Coverage Δ
unittests 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@Anselmoo Anselmoo merged commit b623e39 into main Jul 14, 2024
33 of 34 checks passed
@Anselmoo Anselmoo deleted the Anselmoo-patch-2 branch July 14, 2024 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
github-actions Pull requests that update Github_actions code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant