From 8bc97517fb16499b0cd20a14cd01ad286349ded8 Mon Sep 17 00:00:00 2001 From: rugk Date: Fri, 4 Jun 2021 23:43:01 +0200 Subject: [PATCH 1/2] Add Snyk security scan for PHP After I found https://github.com/PrivateBin/docker-nginx-fpm-alpine/pull/44 I saw they also support PHP, so let's do it here (one level before container packaging), too. Also it complements the CodeQL analysis, which only covers the JS part. I added the API token to the PrivateBIn org now. --- .github/workflows/snyk-scan.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/snyk-scan.yml diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml new file mode 100644 index 00000000..af0afbd7 --- /dev/null +++ b/.github/workflows/snyk-scan.yml @@ -0,0 +1,27 @@ +# This is a basic workflow to help you get started with Actions + +name: Snyk scan + +on: + # Triggers the workflow on push or pull request events but only for the master branch + push: + branches: [ master ] + pull_request: + branches: [ master ] +jobs: + # https://github.com/snyk/actions/tree/master/php + snyk-php: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/php@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif From 371dca19868464f3adf6a52a54423bd4f3652125 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 5 Jun 2021 08:10:12 +0200 Subject: [PATCH 2/2] ensure the GCS library and dependencies get included in the scan --- .github/workflows/snyk-scan.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml index af0afbd7..15e2beec 100644 --- a/.github/workflows/snyk-scan.yml +++ b/.github/workflows/snyk-scan.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@master + - name: Install Google Cloud Storage + run: composer require google/cloud-storage - name: Run Snyk to check for vulnerabilities uses: snyk/actions/php@master continue-on-error: true # To make sure that SARIF upload gets called