mirror of
https://github.com/cypress-io/cypress.git
synced 2026-01-01 03:59:57 -06:00
43 lines
1.4 KiB
YAML
43 lines
1.4 KiB
YAML
name: Snyk Static Analysis Scan
|
|
# This git workflow leverages Snyk actions to perform a Static Application
|
|
# Testing scan (SAST) on our first-party code upon Pull Requests to the
|
|
# "develop" branch. We use this as a control to prevent vulnerabilities
|
|
# from being introduced into the codebase.
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- develop
|
|
- release/*
|
|
jobs:
|
|
Snyk_SAST_Scan:
|
|
# Skip this job on PRs from forks
|
|
if: github.event.pull_request.head.repo.full_name == github.repository
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v6
|
|
with:
|
|
fetch-depth: 0
|
|
token: ${{ secrets.BOT_GITHUB_ACTION_TOKEN }}
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
cache: 'yarn'
|
|
- name: Run yarn
|
|
run: yarn
|
|
- name: Run build
|
|
run: yarn build
|
|
- uses: snyk/actions/setup@master
|
|
- name: Perform Static Analysis Test
|
|
continue-on-error: true
|
|
run: |
|
|
snyk code test --yarn-workspaces --strict-out-of-sync=false --detection-depth=6 --exclude=docker,Dockerfile --severity-threshold=high
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
# The Following Requires Advanced Security License
|
|
# - name: Upload results to Github Code Scanning
|
|
# uses: github/codeql-action/upload-sarif@v1
|
|
# with:
|
|
# sarif_file: snyk_sarif
|