snyk-sast.yml

# ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen".

name: snyk-sast
on:
  workflow_call: {}
  workflow_dispatch: {}
jobs:
  sast-scan:
    name: Run SAST Scan with Snyk
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Setup node 20
        id: setup-node20
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: Get npm global installation root folder
        id: get-npm-root
        run: |-
          NPM_ROOT_LIBS=$(npm root -g)
          NPM_ROOT=$(echo $NPM_ROOT_LIBS | sed 's/\/lib\/node_modules//')
          echo "npm-root-global-libs=$NPM_ROOT_LIBS"
          echo "path=$NPM_ROOT"
          echo path=$NPM_ROOT >> $GITHUB_OUTPUT
      - name: Cache global npm folder
        id: cache-npmg
        uses: actions/cache@v4
        with:
          path: ${{ steps.get-npm-root.outputs.path }}
          key: ${{ runner.os }}-npm-global-snyk-${{ hashFiles('.projenrc.ts') }}
      - name: Install snyk and snyk-delta
        id: install-snyk
        if: steps.cache-npmg.outputs.cache-hit != 'true'
        run: npm i -g snyk@1.1256.0 snyk-delta@1.12.0
      - name: Checkout HEAD
        id: checkout
        uses: actions/checkout@v4
      - name: Authenticate Snyk
        id: snyk-auth
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        run: |-
          snyk auth $SNYK_TOKEN
          snyk config set org=vianho
      - name: Run snyk code on HEAD
        id: snyk-sast
        run: |-
          SHA=$(git log -1 '--format=format:%H')
          RESULT_PATH="${{ github.workspace }}/snyk_code_result_$SHA.json"
          snyk code test --severity-threshold=high --json > $RESULT_PATH
          echo "result-path=$RESULT_PATH" >> $GITHUB_OUTPUT
        continue-on-error: false