From 268b5381410f7ef64c15e88ac91887bcf26ade46 Mon Sep 17 00:00:00 2001 From: duncan-snyk Date: Fri, 29 Nov 2024 11:48:09 +0000 Subject: [PATCH 01/21] Create snyk-security.yml --- .github/workflows/snyk-security.yml | 104 ++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 0000000000..bf9169b4ff --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,104 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + + +name: Snyk Security + +on: + push: + branches: ["main" ] + pull_request: + branches: ["main"] + +permissions: + contents: read + packages: write + +jobs: + snyk: + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + permissions: + contents: write # for actions/checkout to fetch code and write bumped version back + packages: write + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: checkout code + uses: actions/checkout@v4 + + - name: setup jdk 8 + uses: actions/setup-java@v4 + with: + distribution: 'zulu' + java-version: 8 + server-id: github # Value of the distributionManagement/repository/id field of the pom.xml + settings-path: ${{ github.workspace }} # location for the settings.xml file + + - name: unit tests + run: mvn -B test --file pom.xml + + - name: build the app + run: | + mvn clean + mvn -B package --file pom.xml + + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v4 + # with: + # node-version: 20 + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + + - name: Snyk Code test + run: snyk code test --debug --org=6a72044c-629a-4d2f-b8c9-4f6b386c9b27 --sarif > snyk-code.sarif || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects || true + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report || true + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk-code.sarif + + - name: Automated Github Action Maven Version Bump + uses: mickem/gh-action-bump-maven-version@v1.0.0 + + # Publish the built artifact to the github maven repo + - name: Publish to GitHub Packages Apache Maven + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + if: steps.bump.outputs.bumped == false + run: | + mvn deploy -s $GITHUB_WORKSPACE/settings.xml From cfd5c138e6bf990b39c3c0703de33c3ddb33658f Mon Sep 17 00:00:00 2001 From: duncan-snyk Date: Fri, 29 Nov 2024 12:04:46 +0000 Subject: [PATCH 02/21] Use SNYK_ORG_ID from env --- .github/workflows/snyk-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index bf9169b4ff..7a5ff9cdcf 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -75,7 +75,7 @@ jobs: # Use || true to not fail the pipeline - name: Snyk Code test - run: snyk code test --debug --org=6a72044c-629a-4d2f-b8c9-4f6b386c9b27 --sarif > snyk-code.sarif || true + run: snyk code test --debug --org=${{ env.SNYK_ORG_ID }} --sarif > snyk-code.sarif || true # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. - name: Snyk Open Source monitor From c10ce8e84a15b0e49e56c9227ce597190390574c Mon Sep 17 00:00:00 2001 From: Automated Version Bump Date: Fri, 29 Nov 2024 12:06:27 +0000 Subject: [PATCH 03/21] ci: ci: version bump 0.0.1 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7a67b8cd71..92421ff08c 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ io.github.snyk java-goof - 0.0.1-SNAPSHOT + 0.0.1 Java Goof A collection of vulnerable Java apps https://github.com/snyk-labs/java-goof From 3d9e15afe5cb9ebcd289178f0ccdb6b58708121b Mon Sep 17 00:00:00 2001 From: Duncan McIntyre Date: Fri, 29 Nov 2024 13:14:55 +0000 Subject: [PATCH 04/21] Updated to specify Java 8 --- log4shell-goof/log4shell-server/k8s/imagebuild.sh | 4 ++-- pom.xml | 2 +- todolist-goof/k8s/imagebuild.sh | 4 ++-- todolist-goof/pom.xml | 4 ++-- .../todolist/core/repository/api/TodoRepository.java | 7 +++++++ .../todolist/core/repository/impl/TodoRepositoryImpl.java | 8 ++++++++ .../todolist/core/service/impl/TodoServiceImpl.java | 1 + 7 files changed, 23 insertions(+), 7 deletions(-) diff --git a/log4shell-goof/log4shell-server/k8s/imagebuild.sh b/log4shell-goof/log4shell-server/k8s/imagebuild.sh index 5fe689d04d..3c3500da54 100755 --- a/log4shell-goof/log4shell-server/k8s/imagebuild.sh +++ b/log4shell-goof/log4shell-server/k8s/imagebuild.sh @@ -8,7 +8,7 @@ else fi echo "📦 Building image ${DOCKER_ACCOUNT}/log4shell-server:latest ..." -docker build -t ${DOCKER_ACCOUNT}/log4shell-server:latest $MYDIR/.. +docker build --platform linux/arm64 -t ${DOCKER_ACCOUNT}/log4shell-server:latest $MYDIR/.. echo echo "🚚 Pushing image to DockerHub..." -docker push ${DOCKER_ACCOUNT}/log4shell-server:latest +docker push --platform linux/arm64 ${DOCKER_ACCOUNT}/log4shell-server:latest diff --git a/pom.xml b/pom.xml index 92421ff08c..7a67b8cd71 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ io.github.snyk java-goof - 0.0.1 + 0.0.1-SNAPSHOT Java Goof A collection of vulnerable Java apps https://github.com/snyk-labs/java-goof diff --git a/todolist-goof/k8s/imagebuild.sh b/todolist-goof/k8s/imagebuild.sh index f5086c5acc..b25389e0cd 100755 --- a/todolist-goof/k8s/imagebuild.sh +++ b/todolist-goof/k8s/imagebuild.sh @@ -8,7 +8,7 @@ else fi echo "📦 Building image ${DOCKER_ACCOUNT}/java-goof:latest ..." -docker build -t ${DOCKER_ACCOUNT}/java-goof:latest $MYDIR/.. +docker build --platform linux/arm64 -t ${DOCKER_ACCOUNT}/java-goof:latest $MYDIR/.. echo echo "🚚 Pushing image to DockerHub..." -docker push ${DOCKER_ACCOUNT}/java-goof:latest +docker push --platform linux/arm64 ${DOCKER_ACCOUNT}/java-goof:latest diff --git a/todolist-goof/pom.xml b/todolist-goof/pom.xml index 4df79d1b1b..e399d18452 100644 --- a/todolist-goof/pom.xml +++ b/todolist-goof/pom.xml @@ -58,8 +58,8 @@ 3.2 true - 1.7 - 1.7 + 1.8 + 1.8 true diff --git a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java index a258167cf2..dcf8980240 100644 --- a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java +++ b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java @@ -83,4 +83,11 @@ public interface TodoRepository { */ void remove(final Todo todo); + /** + * Wibble a todo. + * + * @param todo the todo to wibble + */ + void wibble(final Todo todo); + } diff --git a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java index 02621ccd9f..3a91f04576 100644 --- a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java +++ b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java @@ -94,4 +94,12 @@ public void remove(final Todo todo) { entityManager.remove(t); } + /** + * {@inheritDoc} + */ + public void wibble(final Todo todo) { + Todo t = entityManager.find(Todo.class, todo.getId()); + entityManager.remove(t); + } + } diff --git a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java index 382665cac1..f9bbca69aa 100644 --- a/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java +++ b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java @@ -89,4 +89,5 @@ public Todo create(final Todo todo) { public void remove(final Todo todo) { todoRepository.remove(todo); } + } From 8faa527b44fae5b4e842c92219d7b5b5806834c8 Mon Sep 17 00:00:00 2001 From: Automated Version Bump Date: Fri, 29 Nov 2024 13:16:56 +0000 Subject: [PATCH 05/21] ci: ci: version bump 0.0.1 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 7a67b8cd71..92421ff08c 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ io.github.snyk java-goof - 0.0.1-SNAPSHOT + 0.0.1 Java Goof A collection of vulnerable Java apps https://github.com/snyk-labs/java-goof From 8fa43ba3c34406569575fb2575219ef00b8cbd8a Mon Sep 17 00:00:00 2001 From: duncan-snyk Date: Fri, 29 Nov 2024 13:38:27 +0000 Subject: [PATCH 06/21] Update snyk-security.yml Use a target reference to distinguish results in the UI --- .github/workflows/snyk-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 7a5ff9cdcf..8c67acca43 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -79,7 +79,7 @@ jobs: # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. - name: Snyk Open Source monitor - run: snyk monitor --all-projects || true + run: snyk monitor --all-projects --target-reference=cicd || true # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. # Use || true to not fail the pipeline. From 1d4ac30892be0a44e6399502196b61602d9510e5 Mon Sep 17 00:00:00 2001 From: Automated Version Bump Date: Fri, 29 Nov 2024 13:40:05 +0000 Subject: [PATCH 07/21] ci: ci: version bump 0.0.2 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 92421ff08c..01ea8cbb84 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ io.github.snyk java-goof - 0.0.1 + 0.0.2 Java Goof A collection of vulnerable Java apps https://github.com/snyk-labs/java-goof From 56bb07597b6837a38862e2d6a1d3d9025022c6ea Mon Sep 17 00:00:00 2001 From: duncan-snyk Date: Fri, 29 Nov 2024 13:44:59 +0000 Subject: [PATCH 08/21] Remove package publishing step --- .github/workflows/snyk-security.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 8c67acca43..408b6fb243 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -84,7 +84,7 @@ jobs: # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. # Use || true to not fail the pipeline. - name: Snyk IaC test and report - run: snyk iac test --report || true + run: snyk iac test --report --target-reference=cicd || true # Push the Snyk Code results into GitHub Code Scanning tab - name: Upload result to GitHub Code Scanning @@ -92,13 +92,13 @@ jobs: with: sarif_file: snyk-code.sarif - - name: Automated Github Action Maven Version Bump - uses: mickem/gh-action-bump-maven-version@v1.0.0 + # - name: Automated Github Action Maven Version Bump + # uses: mickem/gh-action-bump-maven-version@v1.0.0 - # Publish the built artifact to the github maven repo - - name: Publish to GitHub Packages Apache Maven - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: steps.bump.outputs.bumped == false - run: | - mvn deploy -s $GITHUB_WORKSPACE/settings.xml + # # Publish the built artifact to the github maven repo + # - name: Publish to GitHub Packages Apache Maven + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # if: steps.bump.outputs.bumped == false + # run: | + # mvn deploy -s $GITHUB_WORKSPACE/settings.xml From de2218b93624d3db6821dee55bd1ec5c03704a1e Mon Sep 17 00:00:00 2001 From: Duncan McIntyre Date: Thu, 5 Dec 2024 14:03:17 +0000 Subject: [PATCH 09/21] Use mvn install during cicd testing --- .github/workflows/snyk-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 408b6fb243..983d816c0b 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -58,7 +58,7 @@ jobs: - name: build the app run: | mvn clean - mvn -B package --file pom.xml + mvn -B install --file pom.xml - name: Set up Snyk CLI to check for security issues # Snyk can be used to break the build when it detects security issues. From b5ce87212eac0a9ec6a5a5ea48687e9f82b79f10 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 12 Dec 2024 11:56:16 +0000 Subject: [PATCH 10/21] Update snyk-security.yml From ede89030ff2ed4adda8a187e25f639c586b487e5 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 13 Mar 2025 10:11:51 +0000 Subject: [PATCH 11/21] Update snyk-security.yml From 44e26a680504770a494fa00e1334befce25cb6d6 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Wed, 23 Apr 2025 12:54:03 +0100 Subject: [PATCH 12/21] Set up CI with Azure Pipelines [skip ci] --- azure-pipelines.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 azure-pipelines.yml diff --git a/azure-pipelines.yml b/azure-pipelines.yml new file mode 100644 index 0000000000..e45af55a1f --- /dev/null +++ b/azure-pipelines.yml @@ -0,0 +1,42 @@ +# Node.js +# Build a general Node.js project with npm. +# Add steps that analyze code, save build artifacts, deploy, and more: +# https://docs.microsoft.com/azure/devops/pipelines/languages/javascript + +trigger: +- main + +pool: + vmImage: ubuntu-latest + +steps: +- task: NodeTool@0 + inputs: + versionSpec: '20.x' + displayName: 'Install Node.js' + +- script: | + npm install + npm run build + displayName: 'npm install and build' + + # snyk code + - script: snyk code test --sarif-file-output=CodeAnalysisLogs/snyk-code.sarif + continueOnError: true + displayName: 'snyk code' + + # snyk open source + - script: snyk test --all-projects --sarif-file-output=CodeAnalysisLogs/snyk-open-source.sarif + continueOnError: true + displayName: 'snyk open source' + + # snyk container + # NOTE: Change this to your container name + - script: snyk container test sebsnyk/juice-shop --file=Dockerfile --sarif-file-output=CodeAnalysisLogs/snyk-container.sarif + continueOnError: true + displayName: 'snyk container' + + # snyk iac + - script: snyk iac test --sarif-file-output=CodeAnalysisLogs/snyk-iac.sarif + continueOnError: true + displayName: 'snyk iac' From acf61c184ad714be1451b11afbe95e056b8faa99 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 13:36:07 +0100 Subject: [PATCH 13/21] Create main.yml --- .github/workflows/main.yml | 83 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..56d3ca2db4 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,83 @@ +name: Snyk Security Scan with Summary + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + snyk_scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # 1. Setup Java for the Maven project + - name: Set up Java + uses: actions/setup-java@v4 + with: + java-version: '17' # Adjust to your project's version + distribution: 'temurin' + cache: 'maven' + + # 2. Run Snyk Security Scan and output JSON + # The continue-on-error is crucial to ensure the JSON file is created, even if Snyk finds issues and would normally fail the step. + - name: Run Snyk Test (Open Source, Code, & Container) and save JSON + id: snyk_test + continue-on-error: true + uses: snyk/actions/maven@master # Use the specific action for the Maven project + with: + args: --all-projects --json-file-output=snyk-results.json + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # 3. Process Snyk JSON and create Job Summary Table + # We use 'jq' to extract severity counts from the JSON output file. + - name: Generate Security Summary Table + run: | + # The JSON output is complex and can contain multiple test results. + # This script aggregates the counts for Open Source (dependency) vulnerabilities. + + # Install jq for JSON processing + sudo apt-get install jq -y + + # Read the JSON file content + SNYK_JSON=$(cat snyk-results.json) + + # Use jq to extract and aggregate vulnerability counts by severity for the main project + # Note: The structure might vary. This attempts to get the severity counts from the first project result. + HIGH_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "high")] | length') + MEDIUM_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "medium")] | length') + LOW_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "low")] | length') + + TOTAL_ISSUES=$((HIGH_COUNT + MEDIUM_COUNT + LOW_COUNT)) + + # Determine the overall status emoji + STATUS_EMOJI="✅" + if [ "$TOTAL_ISSUES" -gt 0 ]; then + STATUS_EMOJI="❌" + fi + + # Construct the Markdown table and write to the job summary + SUMMARY_MARKDOWN=$(cat <<-EOF + + ### Snyk Security Scan Summary ${STATUS_EMOJI} + + | Metric | Status | Count | + | :--- | :---: | :---: | + | **Total Issues Found** | ${STATUS_EMOJI} | **${TOTAL_ISSUES}** | + | High Severity | ❌ | ${HIGH_COUNT} | + | Medium Severity | ⚠️ | ${MEDIUM_COUNT} | + | Low Severity | ⚪ | ${LOW_COUNT} | + +
+ + > For full vulnerability details, please check the logs of the \`Run Snyk Test\` step or the **Security** tab (if SARIF is enabled). + + EOF + ) + + # Append the generated summary to the $GITHUB_STEP_SUMMARY file + echo "$SUMMARY_MARKDOWN" >> $GITHUB_STEP_SUMMARY From 9946ab0640937cd37d4289d21db2647956b97604 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 13:43:17 +0100 Subject: [PATCH 14/21] Refactor Snyk steps in main.yml for better clarity Updated Snyk steps in GitHub Actions workflow for clarity and structure. --- .github/workflows/main.yml | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 56d3ca2db4..b4c4048a27 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,40 +14,38 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - # 1. Setup Java for the Maven project + # 1. Setup Java for the Maven project (This step remains the same) - name: Set up Java uses: actions/setup-java@v4 with: - java-version: '17' # Adjust to your project's version + java-version: '17' distribution: 'temurin' cache: 'maven' - # 2. Run Snyk Security Scan and output JSON - # The continue-on-error is crucial to ensure the JSON file is created, even if Snyk finds issues and would normally fail the step. - - name: Run Snyk Test (Open Source, Code, & Container) and save JSON + # 2. Install Snyk CLI on the runner + - name: Install Snyk CLI + uses: snyk/actions/setup@master + + # 3. Run Snyk Test (Open Source, Code, & Container) and save JSON + # We now run the Snyk CLI command directly on the runner. + - name: Run Snyk Test and save JSON id: snyk_test + # Set continue-on-error: true here to ensure the summary step runs even if issues are found continue-on-error: true - uses: snyk/actions/maven@master # Use the specific action for the Maven project - with: - args: --all-projects --json-file-output=snyk-results.json + run: snyk test --all-projects --json-file-output=snyk-results.json env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # 3. Process Snyk JSON and create Job Summary Table - # We use 'jq' to extract severity counts from the JSON output file. + # 4. Process Snyk JSON and create Job Summary Table (This step remains the same) - name: Generate Security Summary Table run: | - # The JSON output is complex and can contain multiple test results. - # This script aggregates the counts for Open Source (dependency) vulnerabilities. - # Install jq for JSON processing sudo apt-get install jq -y # Read the JSON file content SNYK_JSON=$(cat snyk-results.json) - # Use jq to extract and aggregate vulnerability counts by severity for the main project - # Note: The structure might vary. This attempts to get the severity counts from the first project result. + # Use jq to extract and aggregate vulnerability counts by severity (for the first project result) HIGH_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "high")] | length') MEDIUM_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "medium")] | length') LOW_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "low")] | length') From 8987987cc26440395efb40f675941cbc7172dc0e Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 13:45:25 +0100 Subject: [PATCH 15/21] Fix echo command for appending summary From ede8f83095986726d6f082db55a686a0da1d9f2c Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 14:55:35 +0100 Subject: [PATCH 16/21] Summary Table in Security Scan --- .github/workflows/summary table.yml | 62 +++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/summary table.yml diff --git a/.github/workflows/summary table.yml b/.github/workflows/summary table.yml new file mode 100644 index 0000000000..2ddfe8eb1c --- /dev/null +++ b/.github/workflows/summary table.yml @@ -0,0 +1,62 @@ +name: Snyk Security Scan + +on: + push: + branches: + - main + - master + pull_request: + # Scan on pull requests to get results before merge + types: [opened, synchronize, reopened] + branches: + - main + - master + +jobs: + snyk: + runs-on: ubuntu-latest + + # Use environment variables for easier management + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Set up JDK 17 (or your required version) + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: 'maven' + + # ➡️ FIX FOR MAVEN DEPENDENCY RESOLUTION ERROR ⬅️ + # Builds all modules and installs artifacts to the local Maven repository + # (e.g., todolist-core and todolist-web-common) so subsequent modules can find them. + - name: Maven Build and Install + run: mvn -B install -DskipTests + # If your build requires specific settings.xml, ensure it's configured here. + + # ➡️ FIX FOR SNYK & JQ SUMMARY ERROR ⬅️ + # Uses the official Snyk action to scan, generate SARIF, and create a Job Summary. + - name: Snyk Security Test + uses: snyk/actions/maven@master + id: snyk + with: + args: --all-projects --sarif-file-output=snyk-results.sarif --severity-threshold=low + # The Snyk action automatically uses the SNYK_TOKEN environment variable. + + # Uploads the SARIF file to GitHub Code Scanning for a rich summary and alerts. + - name: Upload SARIF file for GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk-results.sarif + + # Add a step to fail the build if vulnerabilities are found, + # only if the previous Snyk step did not already fail. + - name: Fail if Snyk found critical vulnerabilities (Optional) + if: steps.snyk.outputs.vulnerabilities > 0 + run: | + echo "Snyk found ${{ steps.snyk.outputs.vulnerabilities }} vulnerabilities. See the detailed summary and Code Scanning tab for details." + exit 1 From 8557af75a2f3872241aa4a0158bcf1ba2518727a Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 15:01:00 +0100 Subject: [PATCH 17/21] Update main.yml --- .github/workflows/main.yml | 138 +++++++++++++++++++++---------------- 1 file changed, 78 insertions(+), 60 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b4c4048a27..f70a9a2fca 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,81 +1,99 @@ -name: Snyk Security Scan with Summary +name: Snyk Security Scan with Custom Summary on: push: - branches: [ "main" ] + branches: + - main + - master pull_request: - branches: [ "main" ] + types: [opened, synchronize, reopened] + branches: + - main + - master jobs: - snyk_scan: + snyk: runs-on: ubuntu-latest + + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # Define the name of the Snyk output file + SNYK_OUTPUT_FILE: snyk-results.json steps: - - name: Checkout code + - name: Checkout Code uses: actions/checkout@v4 - # 1. Setup Java for the Maven project (This step remains the same) - - name: Set up Java + - name: Set up JDK 17 uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' cache: 'maven' - # 2. Install Snyk CLI on the runner - - name: Install Snyk CLI - uses: snyk/actions/setup@master + # Install jq for JSON processing, required for the custom summary step + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq - # 3. Run Snyk Test (Open Source, Code, & Container) and save JSON - # We now run the Snyk CLI command directly on the runner. - - name: Run Snyk Test and save JSON - id: snyk_test - # Set continue-on-error: true here to ensure the summary step runs even if issues are found - continue-on-error: true - run: snyk test --all-projects --json-file-output=snyk-results.json - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # 1. FIX FOR MAVEN DEPENDENCY RESOLUTION ERROR + - name: Maven Build and Install + run: mvn -B install -DskipTests - # 4. Process Snyk JSON and create Job Summary Table (This step remains the same) - - name: Generate Security Summary Table + # 2. RUN SNYK TEST TO GENERATE JSON OUTPUT + # Note: The official Snyk action is simpler, but a manual run is needed to control + # the JSON file output for the custom jq script. + # We use '|| true' to prevent the action from failing immediately, allowing + # the subsequent summary step to process the results even if vulns are found. + - name: Run Snyk Test and Generate JSON + run: snyk test --all-projects --json-file-output=${{ env.SNYK_OUTPUT_FILE }} || true + + # 3. GENERATE CUSTOM JOB SUMMARY TABLE + # ⚠️ This is the critical step to produce the table you want. + - name: Generate Custom Test Summary Table run: | - # Install jq for JSON processing - sudo apt-get install jq -y - - # Read the JSON file content - SNYK_JSON=$(cat snyk-results.json) - - # Use jq to extract and aggregate vulnerability counts by severity (for the first project result) - HIGH_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "high")] | length') - MEDIUM_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "medium")] | length') - LOW_COUNT=$(echo "$SNYK_JSON" | jq -r '[.runs[] | select(.tool.driver.name == "snyk") | .results[].properties | .severity | select(. == "low")] | length') - - TOTAL_ISSUES=$((HIGH_COUNT + MEDIUM_COUNT + LOW_COUNT)) - - # Determine the overall status emoji - STATUS_EMOJI="✅" - if [ "$TOTAL_ISSUES" -gt 0 ]; then - STATUS_EMOJI="❌" + # The Snyk output is an array of results for each project. + # We use a filter to check if the file exists and is not empty. + if [ -s "${{ env.SNYK_OUTPUT_FILE }}" ]; then + echo "## Snyk Test Summary" >> $GITHUB_STEP_SUMMARY + echo "| Test result | Passed | Failed | Skipped | Time duration |" >> $GITHUB_STEP_SUMMARY + echo "| :---: | :---: | :---: | :---: | :---: |" >> $GITHUB_STEP_SUMMARY + + # Use jq to iterate over the array of projects, extracting and calculating metrics. + jq -c '.[] | { + name: (.displayTargetFile | split("/") | last), + ok: (.ok), + vulnerabilities: (.vulnerabilities | length), + # Snyk CLI doesn't provide "Passed/Skipped/Duration" directly. + # For this example, we'll use a placeholder for Passed/Skipped/Duration + # and report on vulnerability status. + # If you need Passed/Skipped counts, your test runner needs to provide them. + # Snyk reports on VULNERABILITIES (Failed) and total dependencies (Total). + dependencies: (.dependencyCount) + }' ${{ env.SNYK_OUTPUT_FILE }} | while read result; do + + project_name=$(echo "$result" | jq -r '.name') + vulnerabilities=$(echo "$result" | jq -r '.vulnerabilities') + dependencies=$(echo "$result" | jq -r '.dependencies') + + # Calculate "Passed" as Dependencies - Vulnerabilities + passed=$((dependencies - vulnerabilities)) + + # Determine the overall result icon + if [ "$vulnerabilities" -gt 0 ]; then + status="🔴 Fail" + else + status="🟢 Pass" + fi + + # Print the table row. Note the placeholder values (0 skipped, N/A duration) + # as Snyk JSON doesn't contain the detailed execution data from the image. + echo "| $status ($project_name) | $passed | $vulnerabilities | 0 | N/A |" >> $GITHUB_STEP_SUMMARY + + done + echo "---" >> $GITHUB_STEP_SUMMARY + echo "Note: Passed/Failed here refers to Dependency Count vs. Vulnerabilities Found." >> $GITHUB_STEP_SUMMARY + echo "Skipped and Duration are placeholders as the Snyk JSON output does not provide JUnit-style metrics." >> $GITHUB_STEP_SUMMARY + else + echo "Snyk test output file not found or was empty. Check previous steps for errors." >> $GITHUB_STEP_SUMMARY + exit 1 fi - - # Construct the Markdown table and write to the job summary - SUMMARY_MARKDOWN=$(cat <<-EOF - - ### Snyk Security Scan Summary ${STATUS_EMOJI} - - | Metric | Status | Count | - | :--- | :---: | :---: | - | **Total Issues Found** | ${STATUS_EMOJI} | **${TOTAL_ISSUES}** | - | High Severity | ❌ | ${HIGH_COUNT} | - | Medium Severity | ⚠️ | ${MEDIUM_COUNT} | - | Low Severity | ⚪ | ${LOW_COUNT} | - -
- - > For full vulnerability details, please check the logs of the \`Run Snyk Test\` step or the **Security** tab (if SARIF is enabled). - - EOF - ) - - # Append the generated summary to the $GITHUB_STEP_SUMMARY file - echo "$SUMMARY_MARKDOWN" >> $GITHUB_STEP_SUMMARY From 3fe5456df11afe2d1d2dfde526182ad5aac75d91 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 15:05:12 +0100 Subject: [PATCH 18/21] Update main.yml --- .github/workflows/main.yml | 113 +++++++++++-------------------------- 1 file changed, 34 insertions(+), 79 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f70a9a2fca..c97926b48f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,99 +1,54 @@ -name: Snyk Security Scan with Custom Summary +name: Snyk Security Scan with Summary on: push: - branches: - - main - - master + branches: [ "main" ] pull_request: - types: [opened, synchronize, reopened] - branches: - - main - - master + branches: [ "main" ] jobs: - snyk: + snyk_scan: runs-on: ubuntu-latest - - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # Define the name of the Snyk output file - SNYK_OUTPUT_FILE: snyk-results.json - steps: - - name: Checkout Code + - name: Checkout code uses: actions/checkout@v4 - - name: Set up JDK 17 + # 1. Setup Java for the Maven project (Required to resolve inter-module dependencies) + - name: Set up Java uses: actions/setup-java@v4 with: java-version: '17' distribution: 'temurin' cache: 'maven' - # Install jq for JSON processing, required for the custom summary step - - name: Install jq - run: sudo apt-get update && sudo apt-get install -y jq - - # 1. FIX FOR MAVEN DEPENDENCY RESOLUTION ERROR + # 1.1 Add Maven Install Step (Crucial fix for your initial dependency errors) - name: Maven Build and Install run: mvn -B install -DskipTests - - # 2. RUN SNYK TEST TO GENERATE JSON OUTPUT - # Note: The official Snyk action is simpler, but a manual run is needed to control - # the JSON file output for the custom jq script. - # We use '|| true' to prevent the action from failing immediately, allowing - # the subsequent summary step to process the results even if vulns are found. - - name: Run Snyk Test and Generate JSON - run: snyk test --all-projects --json-file-output=${{ env.SNYK_OUTPUT_FILE }} || true - - # 3. GENERATE CUSTOM JOB SUMMARY TABLE - # ⚠️ This is the critical step to produce the table you want. - - name: Generate Custom Test Summary Table + + # 2. Install Snyk CLI on the runner + - name: Install Snyk CLI + uses: snyk/actions/setup@master + + # 3. Run Snyk Test (Open Source, Code, & Container) and save JSON + # We use --json, not --json-file-output, as the setup action handles the output redirection. + - name: Run Snyk Test and save JSON + id: snyk_test + # Set continue-on-error: true here to ensure the summary step runs even if issues are found + continue-on-error: true + run: snyk test --all-projects --json > snyk-results.json + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # 4. Process Snyk JSON and create Job Summary Table (CRITICAL FIX HERE) + - name: Generate Security Summary Table run: | - # The Snyk output is an array of results for each project. - # We use a filter to check if the file exists and is not empty. - if [ -s "${{ env.SNYK_OUTPUT_FILE }}" ]; then - echo "## Snyk Test Summary" >> $GITHUB_STEP_SUMMARY - echo "| Test result | Passed | Failed | Skipped | Time duration |" >> $GITHUB_STEP_SUMMARY - echo "| :---: | :---: | :---: | :---: | :---: |" >> $GITHUB_STEP_SUMMARY - - # Use jq to iterate over the array of projects, extracting and calculating metrics. - jq -c '.[] | { - name: (.displayTargetFile | split("/") | last), - ok: (.ok), - vulnerabilities: (.vulnerabilities | length), - # Snyk CLI doesn't provide "Passed/Skipped/Duration" directly. - # For this example, we'll use a placeholder for Passed/Skipped/Duration - # and report on vulnerability status. - # If you need Passed/Skipped counts, your test runner needs to provide them. - # Snyk reports on VULNERABILITIES (Failed) and total dependencies (Total). - dependencies: (.dependencyCount) - }' ${{ env.SNYK_OUTPUT_FILE }} | while read result; do - - project_name=$(echo "$result" | jq -r '.name') - vulnerabilities=$(echo "$result" | jq -r '.vulnerabilities') - dependencies=$(echo "$result" | jq -r '.dependencies') - - # Calculate "Passed" as Dependencies - Vulnerabilities - passed=$((dependencies - vulnerabilities)) - - # Determine the overall result icon - if [ "$vulnerabilities" -gt 0 ]; then - status="🔴 Fail" - else - status="🟢 Pass" - fi - - # Print the table row. Note the placeholder values (0 skipped, N/A duration) - # as Snyk JSON doesn't contain the detailed execution data from the image. - echo "| $status ($project_name) | $passed | $vulnerabilities | 0 | N/A |" >> $GITHUB_STEP_SUMMARY - - done - echo "---" >> $GITHUB_STEP_SUMMARY - echo "Note: Passed/Failed here refers to Dependency Count vs. Vulnerabilities Found." >> $GITHUB_STEP_SUMMARY - echo "Skipped and Duration are placeholders as the Snyk JSON output does not provide JUnit-style metrics." >> $GITHUB_STEP_SUMMARY - else - echo "Snyk test output file not found or was empty. Check previous steps for errors." >> $GITHUB_STEP_SUMMARY - exit 1 + # Install jq for JSON processing + # We check if it's already installed to avoid reinstalling if using snyk/actions/setup which might include it + if ! command -v jq &> /dev/null; then + sudo apt-get update && sudo apt-get install jq -y fi + + # Check if the Snyk output file exists and has content (handles empty runs) + SNYK_FILE="snyk-results.json" + if [ ! -s "$SNYK_FILE" ]; then + echo "## From e97c55376565ca26e43070be779b7b0765020854 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 15:11:34 +0100 Subject: [PATCH 19/21] Enhance Snyk workflow for better vulnerability summary Updated the Snyk GitHub Actions workflow to improve the summary generation of security vulnerabilities. --- .github/workflows/main.yml | 60 ++++++++++++++++++++++++++++++++++---- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c97926b48f..19345782c4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,9 +28,9 @@ jobs: # 2. Install Snyk CLI on the runner - name: Install Snyk CLI uses: snyk/actions/setup@master - + # 3. Run Snyk Test (Open Source, Code, & Container) and save JSON - # We use --json, not --json-file-output, as the setup action handles the output redirection. + # We pipe the JSON output to a file. - name: Run Snyk Test and save JSON id: snyk_test # Set continue-on-error: true here to ensure the summary step runs even if issues are found @@ -39,11 +39,10 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # 4. Process Snyk JSON and create Job Summary Table (CRITICAL FIX HERE) + # 4. Process Snyk JSON and create Job Summary Table - name: Generate Security Summary Table run: | # Install jq for JSON processing - # We check if it's already installed to avoid reinstalling if using snyk/actions/setup which might include it if ! command -v jq &> /dev/null; then sudo apt-get update && sudo apt-get install jq -y fi @@ -51,4 +50,55 @@ jobs: # Check if the Snyk output file exists and has content (handles empty runs) SNYK_FILE="snyk-results.json" if [ ! -s "$SNYK_FILE" ]; then - echo "## + echo "## ⚠️ Snyk Test Summary: No results file found or was empty." >> $GITHUB_STEP_SUMMARY + echo "Skipping summary generation." >> $GITHUB_STEP_SUMMARY + exit 0 + fi + + # Count vulnerabilities by severity across ALL projects in the JSON array + HIGH_COUNT=$(jq -r ' + [ + .[] | .vulnerabilities[] | select(.severity == "critical" or .severity == "high") + ] | length' "$SNYK_FILE") + + MEDIUM_COUNT=$(jq -r ' + [ + .[] | .vulnerabilities[] | select(.severity == "medium") + ] | length' "$SNYK_FILE") + + LOW_COUNT=$(jq -r ' + [ + .[] | .vulnerabilities[] | select(.severity == "low") + ] | length' "$SNYK_FILE") + + TOTAL_ISSUES=$((HIGH_COUNT + MEDIUM_COUNT + LOW_COUNT)) + + # Determine the overall status emoji + STATUS_EMOJI="✅" + if [ "$HIGH_COUNT" -gt 0 ] || [ "$MEDIUM_COUNT" -gt 0 ]; then + STATUS_EMOJI="❌" + elif [ "$TOTAL_ISSUES" -gt 0 ]; then + STATUS_EMOJI="⚠️" # Yellow for only low-severity + fi + + # Construct the Markdown table and write to the job summary + SUMMARY_MARKDOWN=$(cat <<-EOF + + ### Snyk Security Scan Summary ${STATUS_EMOJI} + + | Metric | Status | Count | + | :--- | :---: | :---: | + | **Total Vulnerabilities** | ${STATUS_EMOJI} | **${TOTAL_ISSUES}** | + | Critical/High Severity | ❌ | ${HIGH_COUNT} | + | Medium Severity | ⚠️ | ${MEDIUM_COUNT} | + | Low Severity | ⚪ | ${LOW_COUNT} | + +
+ + > For full vulnerability details by project, please check the logs of the \`Run Snyk Test and save JSON\` step. + + EOF + ) + + # Append the generated summary to the $GITHUB_STEP_SUMMARY file + echo "$SUMMARY_MARKDOWN" >> $GITHUB_STEP_SUMMARY From 7198adf84fc9f8a2fc7b64a7b90a4e4fbfa3b9f0 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 15:27:02 +0100 Subject: [PATCH 20/21] Create jennyexample.yml --- .github/workflows/jennyexample.yml | 247 +++++++++++++++++++++++++++++ 1 file changed, 247 insertions(+) create mode 100644 .github/workflows/jennyexample.yml diff --git a/.github/workflows/jennyexample.yml b/.github/workflows/jennyexample.yml new file mode 100644 index 0000000000..ae34222c97 --- /dev/null +++ b/.github/workflows/jennyexample.yml @@ -0,0 +1,247 @@ +name: Snyk Security Scan for NX Monorepo + +on: + pull_request: + branches: [ main, master, develop ] + types: [opened, synchronize, reopened] + +permissions: + contents: read + pull-requests: write + security-events: write + checks: write + +jobs: + snyk-scan: + runs-on: ubuntu-latest + name: Snyk Security Scan + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + cache: 'npm' + + - name: Install dependencies + run: npm ci + + - name: Install NX CLI + run: npm install -g @nrwl/cli + + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Run Snyk Open Source Scan + id: snyk-open-source + run: | + echo "## 🔍 Snyk Open Source Vulnerability Scan Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Create output file for open source scan + OPEN_SOURCE_OUTPUT=$(mktemp) + + # Run Snyk test for all projects in the monorepo + if snyk test --all-projects --detection-depth=6 --json > "$OPEN_SOURCE_OUTPUT" 2>&1; then + echo "✅ No open source vulnerabilities found" >> $GITHUB_STEP_SUMMARY + echo "open_source_status=success" >> $GITHUB_OUTPUT + else + echo "❌ Open source vulnerabilities detected" >> $GITHUB_STEP_SUMMARY + echo "open_source_status=failure" >> $GITHUB_OUTPUT + + # Parse and format the JSON output for better readability + if command -v jq &> /dev/null; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Vulnerability Summary:" >> $GITHUB_STEP_SUMMARY + jq -r '.vulnerabilities[] | "- **\(.title)** (Severity: \(.severity | ascii_upcase)) in \(.packageName)@\(.version)"' "$OPEN_SOURCE_OUTPUT" | head -20 >> $GITHUB_STEP_SUMMARY || true + + # Add remediation advice + echo "" >> $GITHUB_STEP_SUMMARY + echo "### 💡 Remediation Advice:" >> $GITHUB_STEP_SUMMARY + jq -r '.vulnerabilities[] | select(.upgradePath != null and .upgradePath != []) | "- Upgrade \(.packageName) to version \(.upgradePath[-1])"' "$OPEN_SOURCE_OUTPUT" | sort -u | head -10 >> $GITHUB_STEP_SUMMARY || true + else + cat "$OPEN_SOURCE_OUTPUT" >> $GITHUB_STEP_SUMMARY + fi + fi + + # Save output for PR comment + cp "$OPEN_SOURCE_OUTPUT" open_source_results.json + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Run Snyk Code Scan + id: snyk-code + run: | + echo "" >> $GITHUB_STEP_SUMMARY + echo "## 🔍 Snyk Code Security Scan Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Create output file for code scan + CODE_OUTPUT=$(mktemp) + + # Run Snyk code test for the entire repository + if snyk code test --json > "$CODE_OUTPUT" 2>&1; then + echo "✅ No code security issues found" >> $GITHUB_STEP_SUMMARY + echo "code_status=success" >> $GITHUB_OUTPUT + else + echo "❌ Code security issues detected" >> $GITHUB_STEP_SUMMARY + echo "code_status=failure" >> $GITHUB_OUTPUT + + # Parse and format the JSON output for better readability + if command -v jq &> /dev/null; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "### Security Issues Summary:" >> $GITHUB_STEP_SUMMARY + jq -r '.runs[0].results[]? | "- **\(.ruleId)** (Severity: \(.level | ascii_upcase)) in \(.locations[0].physicalLocation.artifactLocation.uri):\(.locations[0].physicalLocation.region.startLine)"' "$CODE_OUTPUT" | head -20 >> $GITHUB_STEP_SUMMARY || true + + # Add remediation advice for code issues + echo "" >> $GITHUB_STEP_SUMMARY + echo "### 💡 Code Security Recommendations:" >> $GITHUB_STEP_SUMMARY + jq -r '.runs[0].results[]? | "- \(.message.text) (File: \(.locations[0].physicalLocation.artifactLocation.uri))"' "$CODE_OUTPUT" | head -10 >> $GITHUB_STEP_SUMMARY || true + else + cat "$CODE_OUTPUT" >> $GITHUB_STEP_SUMMARY + fi + fi + + # Save output for PR comment + cp "$CODE_OUTPUT" code_results.json + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Install jq for JSON parsing + if: steps.snyk-open-source.outputs.open_source_status == 'failure' || steps.snyk-code.outputs.code_status == 'failure' + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Create PR Comment with Results + if: always() + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + + let comment = '## 🛡️ Snyk Security Scan Results\n\n'; + + // Read open source results + let openSourceStatus = '${{ steps.snyk-open-source.outputs.open_source_status }}'; + let codeStatus = '${{ steps.snyk-code.outputs.code_status }}'; + + // Open Source Results + comment += '### 📦 Open Source Dependencies\n'; + if (openSourceStatus === 'success') { + comment += '✅ No vulnerabilities found in open source dependencies\n\n'; + } else { + comment += '❌ Vulnerabilities found in open source dependencies\n\n'; + + try { + const openSourceData = fs.readFileSync('open_source_results.json', 'utf8'); + const openSourceJson = JSON.parse(openSourceData); + + if (openSourceJson.vulnerabilities && openSourceJson.vulnerabilities.length > 0) { + comment += '#### Top Vulnerabilities:\n'; + openSourceJson.vulnerabilities.slice(0, 5).forEach(vuln => { + comment += `- **${vuln.title}** (${vuln.severity.toUpperCase()}) in ${vuln.packageName}@${vuln.version}\n`; + }); + comment += '\n'; + + // Add upgrade recommendations + const upgrades = openSourceJson.vulnerabilities + .filter(v => v.upgradePath && v.upgradePath.length > 0) + .slice(0, 3); + + if (upgrades.length > 0) { + comment += '#### 💡 Recommended Upgrades:\n'; + upgrades.forEach(vuln => { + comment += `- Upgrade ${vuln.packageName} to ${vuln.upgradePath[vuln.upgradePath.length - 1]}\n`; + }); + comment += '\n'; + } + } + } catch (e) { + comment += 'Error parsing open source scan results\n\n'; + } + } + + // Code Security Results + comment += '### 🔒 Code Security\n'; + if (codeStatus === 'success') { + comment += '✅ No code security issues found\n\n'; + } else { + comment += '❌ Code security issues found\n\n'; + + try { + const codeData = fs.readFileSync('code_results.json', 'utf8'); + const codeJson = JSON.parse(codeData); + + if (codeJson.runs && codeJson.runs[0] && codeJson.runs[0].results) { + comment += '#### Top Security Issues:\n'; + codeJson.runs[0].results.slice(0, 5).forEach(result => { + const location = result.locations[0].physicalLocation; + comment += `- **${result.ruleId}** (${result.level.toUpperCase()}) in ${location.artifactLocation.uri}:${location.region.startLine}\n`; + comment += ` ${result.message.text}\n`; + }); + comment += '\n'; + } + } catch (e) { + comment += 'Error parsing code scan results\n\n'; + } + } + + // Overall status + const overallStatus = (openSourceStatus === 'success' && codeStatus === 'success') ? 'success' : 'failure'; + + if (overallStatus === 'success') { + comment += '### ✅ Overall Status: PASSED\nNo security vulnerabilities detected in this PR.\n'; + } else { + comment += '### ❌ Overall Status: FAILED\nSecurity vulnerabilities detected. Please review and address the issues above.\n'; + } + + comment += '\n---\n*Powered by [Snyk](https://snyk.io) 🐍*'; + + // Post comment + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: comment + }); + + - name: Set Check Status + if: always() + uses: actions/github-script@v7 + with: + script: | + const openSourceStatus = '${{ steps.snyk-open-source.outputs.open_source_status }}'; + const codeStatus = '${{ steps.snyk-code.outputs.code_status }}'; + const overallStatus = (openSourceStatus === 'success' && codeStatus === 'success') ? 'success' : 'failure'; + + await github.rest.checks.create({ + owner: context.repo.owner, + repo: context.repo.repo, + name: 'Snyk Security Scan', + head_sha: context.payload.pull_request.head.sha, + status: 'completed', + conclusion: overallStatus, + output: { + title: overallStatus === 'success' ? 'Security scan passed' : 'Security vulnerabilities found', + summary: overallStatus === 'success' + ? 'No security vulnerabilities detected in open source dependencies or code.' + : 'Security vulnerabilities detected. Check the PR comment for details.' + } + }); + + - name: Fail if vulnerabilities found + if: steps.snyk-open-source.outputs.open_source_status == 'failure' || steps.snyk-code.outputs.code_status == 'failure' + run: | + echo "Security vulnerabilities detected. Please review the scan results." + exit 1 From 02992b904f9b5b0c1c19a471cf2a77043da248a4 Mon Sep 17 00:00:00 2001 From: sharmyn-snyk-test Date: Thu, 23 Oct 2025 15:27:26 +0100 Subject: [PATCH 21/21] Rename jennyexample.yml to jennyexample.yaml --- .github/workflows/{jennyexample.yml => jennyexample.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{jennyexample.yml => jennyexample.yaml} (100%) diff --git a/.github/workflows/jennyexample.yml b/.github/workflows/jennyexample.yaml similarity index 100% rename from .github/workflows/jennyexample.yml rename to .github/workflows/jennyexample.yaml