-
Notifications
You must be signed in to change notification settings - Fork 16
47 lines (43 loc) · 1.64 KB
/
security-scans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: RAGStack Security Scan
on:
workflow_dispatch: {}
schedule:
- cron: '0 * * * *'
# might be a good idea to run this on every PR, but it's a bit too noisy since we cannot actually fix the vulnerabilities sometimes but we don't want to ignore them as well
# pull_request:
# branches:
# - main
jobs:
snyk:
name: Run Snyk scan
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v3
- name: Run Snyk to check for vulnerabilities
id: snyk
uses: ./.github/actions/snyk-python-3.11
with:
token: ${{ secrets.SNYK_TOKEN }}
- uses: actions/setup-python@v4
with:
python-version: '3.x'
- name: Process Snyk report
if: always()
run: python ./scripts/parse-snyk-report.py snyk-vuln.json snyk-report.txt
- name: Prepare report for Slack
if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
uses: ./.github/actions/generate-slack-report
with:
from-report-file: snyk-report.txt
output-file: slack-report.json
type: "RAGStack Security Scan"
outcome: ${{ steps.snyk.outcome }}
commit-url: "https://github.com/datastax/ragstack-ai/commits/${{ steps.commit-ref.outputs.commit-ref }}"
- name: Dump report on Slack
if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
uses: slackapi/[email protected]
with:
payload-file-path: "./slack-report.json"
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}