add Snyk workflow (#36349)

Resolves #35677

add Snyk workflow (#36349)
f2b7f78d · Alexander Solovyov · GitHub · f8ec8b30 · f2b7f78d · f2b7f78d
Unverified Commit f2b7f78d authored 1 year ago by Alexander Solovyov Committed by GitHub 1 year ago
--- a/.github/scripts/write-poms.sh
+++ b/.github/scripts/write-poms.sh
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+function pom() {
+    path=$1
+    echo "Writing ${path}/pom.xml"
+    (cd "$path" && clojure -X:deps mvn-pom)
+}
+
+pom .
+
+for k in $(ls modules/drivers/); do
+    test -d "modules/drivers/$k" && pom "modules/drivers/$k"
+done
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
+name: "Snyk"
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'release-**'
+    paths:
+      - '**/deps.edn'
+      - '**/package.json'
+      - '.github/workflows/snyk.yml'
+      - '.github/scripts/write-poms.xml'
+  schedule:
+    - cron: '0 5 * * *'
+
+
+jobs:
+  monitor:
+    name: Generate Snyk report
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - name: Prepare back-end environment
+        uses: ./.github/actions/prepare-backend
+        with:
+          m2-cache-key: 'snyk'
+      - uses: snyk/actions/setup@0.4.0
+      - name: Generate all pom.xml
+        run: .github/scripts/write-poms.sh
+      - name: Run snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        continue-on-error: true
+        run: snyk test --all-projects --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif