name: scan on: workflow_dispatch: push: branches: [ main ] pull_request: branches: [ main ] schedule: - cron: '18 10 * * 3' permissions: contents: read jobs: scan-fossa: runs-on: ubuntu-latest if: github.actor != 'dependabot[bot]' steps: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Run FOSSA scan and upload build data uses: fossa-contrib/fossa-action@6cffaa064112e1cf9b5798c6224f9487dc1ec316 # v1 with: # FOSSA Push-Only API Token fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de github-token: ${{ github.token }} scan-snyk: runs-on: ubuntu-latest permissions: security-events: write if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' steps: - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Setup Kustomize uses: fluxcd/pkg//actions/kustomize@main - name: Build manifests run: | make cmd/flux/.manifests.done - name: Run Snyk to check for vulnerabilities uses: snyk/actions/golang@e25b2e6f5658d1bb7a6671b113260f13134cc3af # v0.3.0 continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --sarif-file-output=snyk.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@515828d97454b8354517688ddc5b48402b723750 # v2 with: sarif_file: snyk.sarif scan-codeql: runs-on: ubuntu-latest permissions: security-events: write if: github.actor != 'dependabot[bot]' steps: - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Set up Go uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 with: go-version: 1.19.x - name: Initialize CodeQL uses: github/codeql-action/init@515828d97454b8354517688ddc5b48402b723750 # v2 with: languages: go - name: Autobuild uses: github/codeql-action/autobuild@515828d97454b8354517688ddc5b48402b723750 # v2 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@515828d97454b8354517688ddc5b48402b723750 # v2