RADAR-base · pvannierop · Feb 14, 2025 · Feb 13, 2025 · Feb 14, 2025
diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml
@@ -0,0 +1,61 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+    DOCKER_IMAGE_BACKEND: radarbase/radar-rest-source-auth-backend
+    DOCKER_IMAGE_FRONTEND: radarbase/radar-rest-source-authorizer
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities on backend image
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE_BACKEND }}
+          args: >-
+            --file=authorizer-app-backend/Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload backend result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: backend
+          sarif_file: snyk.sarif
+
+      - name: Run Snyk to check for vulnerabilities on frontend image
+        uses: snyk/actions/docker@master
+        env:
+            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+            image: ${{ env.DOCKER_IMAGE_FRONTEND }}
+            args: >-
+              --file=authorizer-app/Dockerfile
+              --fail-on=upgradable
+              --severity-threshold=high
+              --policy-path=.snyk
+              --exclude-app-vulns
+              --org=radar-base
+              --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload frontend result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: frontend
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
@@ -1,51 +1,38 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
+
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
     runs-on: ubuntu-latest
-    env:
-      REPORT_FILE: test.json
+
     steps:
       - uses: actions/checkout@v3
-      - uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1032.0
-
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+      - uses: actions/setup-node
         with:
           node-version: 16
+          cache: npm
 
-      - uses: actions/setup-java@v3
-        with:
-          distribution: temurin
-          java-version: 17
-
-      - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
-
-      - name: Run Snyk
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: >
-          snyk test
-          --all-projects
-          --configuration-matching='^runtimeClasspath$'
-          --fail-on=upgradable
-          --json-file-output=${{ env.REPORT_FILE }}
-          --org=radar-base
-          --policy-path=$PWD/.snyk
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
 
-      - name: Report new vulnerabilities
-        uses: thehyve/report-vulnerability@master
-        if: success() || failure()
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          report-file: ${{ env.REPORT_FILE }}
-        env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
@@ -1,36 +1,32 @@
-name: Snyk test
+name: Snyk test on PR commits
+
 on:
   pull_request:
-    branches: [ master, dev ]
+    branches:
+      - main
+      - dev
+      - release-*
+
 jobs:
   security:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1032.0
-
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+      - uses: actions/setup-node
         with:
           node-version: 16
-
-      - uses: actions/setup-java@v3
-        with:
-          distribution: temurin
-          java-version: 17
-
-      - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
+          cache: npm
+          cache-dependency-path: '**/package-lock.json'
 
       - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: >
-          snyk test
-          --all-projects
-          --configuration-matching='^runtimeClasspath$'
-          --org=radar-base
-          --policy-path=$PWD/.snyk
-          --severity-threshold=high
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk