diff --git a/.github/workflows/snyk-lts.yml b/.github/workflows/snyk-lts.yml deleted file mode 100644 index ee6c1e0a2e..0000000000 --- a/.github/workflows/snyk-lts.yml +++ /dev/null @@ -1,57 +0,0 @@ -# This workflow will scan and monitor all the LTS releases for vulnerabilities with Snyk -name: Snyk Container for LTS Releases -on: - push: - # These branches represent the LTS releases - branches: - - 0.12.lts - - 1.2.lts - paths: - - aries_cloudagent/** - - acapy_agent/** - - docker/** - -permissions: - contents: read - -jobs: - snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - if: ${{ github.repository_owner == 'openwallet-foundation' }} - steps: - - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - - - name: Build a Docker image - run: docker build -t acapy-agent -f docker/Dockerfile . - - - name: Run Snyk to check Docker image for vulnerabilities - # Snyk can be used to break the build when it detects vulnerabilities. - # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true - uses: snyk/actions/docker@9adf32b1121593767fc3c057af55b55db032dc04 # 1.0.0 - env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: acapy-agent - args: --file=docker/Dockerfile - # Adding a snyk monitor command which continuously monitors the image for vulnerabilities - # See https://support.snyk.io/hc/en-us/articles/360000920818-What-are-the-differences-among-snyk-test-monitor-and-protect for more details - command: monitor - - # Replace any "null" security severity values with 0. The null value is used in the case - # of license-related findings, which do not do not indicate a security vulnerability. - # See https://github.com/github/codeql-action/issues/2187 for more context. - - name: Post process snyk sarif file - run: | - sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif - - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v3.29.5 - with: - sarif_file: snyk.sarif diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 9d67cd07f0..dbdcc31991 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -3,7 +3,9 @@ on: push: branches: - main + - '**.lts' # LTS release branches (e.g., 0.12.lts, 1.2.lts) paths: + - aries_cloudagent/** # Legacy directory (older LTS branches) - acapy_agent/** - docker/** @@ -37,6 +39,18 @@ jobs: image: acapy-agent args: --file=docker/Dockerfile + - name: Run Snyk monitor for continuous monitoring + # Continuously monitor for new vulnerabilities in released/releasable code + # See https://support.snyk.io/hc/en-us/articles/360000920818-What-are-the-differences-among-snyk-test-monitor-and-protect + continue-on-error: true + uses: snyk/actions/docker@9adf32b1121593767fc3c057af55b55db032dc04 # 1.0.0 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: acapy-agent + args: --file=docker/Dockerfile + command: monitor + # Replace any "null" security severity values with 0. The null value is used in the case # of license-related findings, which do not do not indicate a security vulnerability. # See https://github.com/github/codeql-action/issues/2187 for more context.