From d9348048e23dc09ad42ee7e9de53cb32b8636f7f Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Mon, 1 Apr 2024 20:19:39 +0100 Subject: [PATCH 01/13] Add Snyk scan workflow for dotNET vulnerabilities. --- .github/workflows/snyk_scan.yml | 38 +++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/snyk_scan.yml diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml new file mode 100644 index 0000000..375c51d --- /dev/null +++ b/.github/workflows/snyk_scan.yml @@ -0,0 +1,38 @@ +name: Scan dotNET using Snyk + +on: + push: + branches: [ main ] + paths-ignore: + - .gitignore + - README.md + - LICENSE + - '.github/**' + pull_request: + # The branches below must be a subset of the branches above + branches: [ main ] + +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + + - name: Setup .NET + uses: actions/setup-dotnet@3.0.3 + + - name: Restore dependencies + run: dotnet restore + + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/dotnet@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif From 1cea5ca98f8013c2818e57f060ea71fff9fa04bc Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Thu, 20 Jun 2024 15:05:51 +0100 Subject: [PATCH 02/13] Update snyk_scan.yml change the setup-dotnet action version --- .github/workflows/snyk_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 375c51d..c7a48ca 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@master - name: Setup .NET - uses: actions/setup-dotnet@3.0.3 + uses: actions/setup-dotnet@4 - name: Restore dependencies run: dotnet restore From c0487d80404e3b9b3e928923625acd5e4c7cbe2d Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Fri, 21 Jun 2024 11:10:14 +0100 Subject: [PATCH 03/13] update setup-dotnet version --- .github/workflows/snyk_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index c7a48ca..6dda436 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@master - name: Setup .NET - uses: actions/setup-dotnet@4 + uses: actions/setup-dotnet@4.0.0 - name: Restore dependencies run: dotnet restore From 9563c886c9b7c3a359a0c7c9f4c1cf48f0b062f3 Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Fri, 21 Jun 2024 11:13:26 +0100 Subject: [PATCH 04/13] update again --- .github/workflows/snyk_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 6dda436..8a4e289 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -19,7 +19,7 @@ jobs: - uses: actions/checkout@master - name: Setup .NET - uses: actions/setup-dotnet@4.0.0 + uses: actions/setup-dotnet@v4.0.0 - name: Restore dependencies run: dotnet restore From 65670f446281007c783ae248fc3cb9e596cab813 Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Fri, 21 Jun 2024 11:32:17 +0100 Subject: [PATCH 05/13] set working directory --- .github/workflows/snyk_scan.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 8a4e289..f20c748 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -15,6 +15,9 @@ on: jobs: security: runs-on: ubuntu-latest + defaults: + run: + working-directory: ./app steps: - uses: actions/checkout@master @@ -33,6 +36,6 @@ jobs: args: --sarif-file-output=snyk.sarif - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif From 1b75fd0503fd2be53b21ed5e35502e0192bbb724 Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Tue, 16 Jul 2024 15:44:30 +0100 Subject: [PATCH 06/13] Update working folder --- .github/workflows/snyk_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index f20c748..5d23620 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest defaults: run: - working-directory: ./app + working-directory: app steps: - uses: actions/checkout@master From 9a67b10425d9ad8157ac17dd22bcc83a3b3dab9f Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Tue, 16 Jul 2024 15:49:42 +0100 Subject: [PATCH 07/13] remove working folder --- .github/workflows/snyk_scan.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 5d23620..99e87d5 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -15,9 +15,6 @@ on: jobs: security: runs-on: ubuntu-latest - defaults: - run: - working-directory: app steps: - uses: actions/checkout@master From a8f2e548b784bf613d9c100e9339b2e5b7efa16b Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Tue, 16 Jul 2024 16:44:36 +0100 Subject: [PATCH 08/13] Update snyk_scan.yml --- .github/workflows/snyk_scan.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 99e87d5..200a8ad 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -30,9 +30,13 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --sarif-file-output=snyk.sarif + args: --sarif-file-output=${{ GITHUB_WORKSPACE }}/scan/snyk.sarif + + - name: Echo values from ENV + run: | + ls ${{ GITHUB_WORKSPACE }}/scan - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: snyk.sarif + sarif_file: ${{ GITHUB_WORKSPACE }}/scan/snyk.sarif From 9b828f8db468fdae8680dd48bb162d142f057315 Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Tue, 16 Jul 2024 16:50:02 +0100 Subject: [PATCH 09/13] Update snyk_scan.yml Change the restore --- .github/workflows/snyk_scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 200a8ad..cc0222e 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -22,7 +22,7 @@ jobs: uses: actions/setup-dotnet@v4.0.0 - name: Restore dependencies - run: dotnet restore + run: dotnet restore Tanzy.Xunit.sln - name: Run Snyk to check for vulnerabilities uses: snyk/actions/dotnet@master @@ -30,7 +30,7 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --sarif-file-output=${{ GITHUB_WORKSPACE }}/scan/snyk.sarif + args: --sarif-file-output=snyk.sarif - name: Echo values from ENV run: | @@ -39,4 +39,4 @@ jobs: - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: ${{ GITHUB_WORKSPACE }}/scan/snyk.sarif + sarif_file: snyk.sarif From 7230e6358dcbebe6edce172c59d530a676cba0ef Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Tue, 16 Jul 2024 16:52:51 +0100 Subject: [PATCH 10/13] Update snyk_scan.yml --- .github/workflows/snyk_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index cc0222e..b46de93 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -34,7 +34,7 @@ jobs: - name: Echo values from ENV run: | - ls ${{ GITHUB_WORKSPACE }}/scan + ls - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 From c1532b9dc69a6becca79650a87626f5eeeb74afb Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Tue, 16 Jul 2024 17:02:27 +0100 Subject: [PATCH 11/13] Update snyk_scan.yml --- .github/workflows/snyk_scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index b46de93..f17da52 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -30,13 +30,13 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --sarif-file-output=snyk.sarif + args: --sarif-file-output=./scan/snyk.sarif - name: Echo values from ENV run: | - ls + ls ./scan/ - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: snyk.sarif + sarif_file: ./scan/snyk.sarif From 5956df117654b3afb6c40ad97043bea8d331966c Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Wed, 17 Jul 2024 08:34:50 +0100 Subject: [PATCH 12/13] Update snyk_scan.yml --- .github/workflows/snyk_scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index f17da52..505ba82 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -30,11 +30,11 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --sarif-file-output=./scan/snyk.sarif + args: --sarif-file-output=snyk.sarif --sarif --file=Tanzy.Xunit.sln - name: Echo values from ENV run: | - ls ./scan/ + ls - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 From 76ec808eac62d7b22808148fbd6c078e85fbcfd5 Mon Sep 17 00:00:00 2001 From: Ken Lea Date: Wed, 17 Jul 2024 08:36:21 +0100 Subject: [PATCH 13/13] Update snyk_scan.yml --- .github/workflows/snyk_scan.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/snyk_scan.yml b/.github/workflows/snyk_scan.yml index 505ba82..e00ebc6 100644 --- a/.github/workflows/snyk_scan.yml +++ b/.github/workflows/snyk_scan.yml @@ -30,13 +30,9 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --sarif-file-output=snyk.sarif --sarif --file=Tanzy.Xunit.sln - - - name: Echo values from ENV - run: | - ls + args: --sarif-file-output=snyk.sarif --file=Tanzy.Xunit.sln - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: ./scan/snyk.sarif + sarif_file: snyk.sarif