RAGStack Security Scan #142

	name: RAGStack Security Scan

	on:
	workflow_dispatch: {}
	schedule:
	- cron: '0 0 * * *'
	pull_request:
	paths:
	- '.github/workflows/security-scans.yml'
	- 'pyproject.toml'
	- 'poetry.lock'
	branches:
	- main

	jobs:
	snyk:
	name: Run Snyk scan
	runs-on: ubuntu-latest
	steps:
	- name: Check out the repo
	uses: actions/checkout@v3
	- name: Run Snyk to check for vulnerabilities
	id: snyk
	uses: ./.github/actions/snyk-python-3.11
	with:
	token: ${{ secrets.SNYK_TOKEN }}
	- uses: actions/setup-python@v4
	with:
	python-version: '3.x'
	- name: Process Snyk report
	if: always()
	run: python ./scripts/parse-snyk-report.py snyk-vuln.json snyk-report.txt

	- name: Dump report on Github Summary
	if: always()
	run: \|
	if [ -f "snyk-report.txt" ]; then
	echo "$(cat snyk-report.txt)" >> $GITHUB_STEP_SUMMARY
	echo "Report added to the summary"
	else
	echo "Report not found"
	fi

	- name: Prepare report for Slack
	if: always() && (github.event_name == 'schedule' \|\| github.event_name == 'workflow_dispatch')
	uses: ./.github/actions/generate-slack-report
	with:
	from-report-file: snyk-report.txt
	output-file: slack-report.json
	type: "RAGStack Security Scan"
	outcome: ${{ steps.snyk.outcome }}
	commit-url: "https://github.com/datastax/ragstack-ai/commits/${{ steps.commit-ref.outputs.commit-ref }}"
	- name: Dump report on Slack
	if: always() && (github.event_name == 'schedule' \|\| github.event_name == 'workflow_dispatch')
	uses: slackapi/[email protected]
	with:
	payload-file-path: "./slack-report.json"
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Provide feedback