Add Snyk security workflow to track multiple tags

ChristianZaccaria · ChristianZaccaria · commit cfaf9b166c02 · 2024-11-04T15:43:31.000Z
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -27,15 +27,22 @@ on:
               type: string
               default: "project-codeflare"
 
+env:
+  PR_BRANCH_NAME: snyk-tag-monitoring-${{ github.run_id }}
+
 jobs:
     release:
         runs-on: ubuntu-latest
         permissions:
             contents: write
             id-token: write  # This permission is required for trusted publishing
+            pull-requests: write # This permission is required for creating PRs
         steps:
             - name: Checkout the repository
               uses: actions/checkout@v4
+              with:
+                  submodules: recursive
+                  token: ${{ secrets.GH_CLI_TOKEN }}
             - name: Install Python
               uses: actions/setup-python@v5
               with:
@@ -81,3 +88,32 @@ jobs:
               env:
                 GITHUB_TOKEN: ${{ secrets.CODEFLARE_MACHINE_ACCOUNT_TOKEN }}
               shell: bash
+
+            - name: Append tag to Snyk monitoring list
+              run: |
+                sed -i 's/list_of_released_tags=(/list_of_released_tags=("v${{ github.event.inputs.release-version }}", /' .github/workflows/snyk-security.yaml
+
+            - name: Commit and push changes
+              run: |
+                git config --global user.email "138894154+codeflare-machine-account@users.noreply.github.com"
+                git config --global user.name "codeflare-machine-account"
+                git checkout -b $PR_BRANCH_NAME
+                git commit -am "Update snyk-security.yaml"
+                git push --set-upstream origin "$PR_BRANCH_NAME"
+
+            - name: Create Pull Request
+              run: |
+                  gh pr create \
+                  --title "$pr_title" \
+                  --body "$pr_body" \
+                  --head ${{ env.PR_BRANCH_NAME }} \
+                  --base main \
+                  --label "lgtm" \
+                  --label "approved"
+              env:
+                GITHUB_TOKEN: ${{ secrets.GH_CLI_TOKEN }}
+                pr_title: "[CodeFlare-Machine] Append tag v${{ github.event.inputs.release-version }} to Snyk monitoring list"
+                pr_body: |
+                  :rocket: This is an automated Pull Request generated by [release.yaml](https://github.com/project-codeflare/codeflare-sdk/blob/main/.github/workflows/release.yaml) workflow.
+
+                  This PR appends to the list of tags that Snyk will be monitoring.
diff --git a/.github/workflows/snyk-security.yaml b/.github/workflows/snyk-security.yaml
@@ -0,0 +1,41 @@
+name: Snyk Security
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  snyk-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+            submodules: recursive
+
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+
+      - name: Snyk Monitor and Test multiple projects
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_ORG: ${{ secrets.SNYK_ORG }}
+        run: |
+          echo "Fetching tags"
+          git fetch origin 'refs/tags/*:refs/tags/*'
+
+          echo "Authenticating with Snyk"
+          snyk auth ${SNYK_TOKEN}
+
+          echo "Scanning project: codeflare-sdk/main"
+          snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="main"
+
+          # This list is based off RHOAI Supported versions: https://access.redhat.com/support/policy/updates/rhoai-sm/lifecycle
+          # Compared to the tags in the ImageStream annotations: https://github.com/red-hat-data-services/notebooks/blob/rhoai-2.8/manifests/base/jupyter-datascience-notebook-imagestream.yaml
+          # Loop through the list of released tags and scan each project
+          list_of_released_tags=("v0.22.0" "v0.21.1" "v0.19.1", "v0.16.4", "vv0.14.1")
+          for project in "${list_of_released_tags[@]}"; do
+            echo "Scanning project: codeflare-sdk/$project"
+            git checkout $project
+            snyk monitor --all-projects --exclude=requirements.txt --org=${SNYK_ORG} --target-reference="$(git describe --tags)"
+          done
