name: scan on: workflow_dispatch: push: branches: [ main ] pull_request: branches: [ main ] schedule: - cron: '18 10 * * 3' permissions: contents: read jobs: scan-fossa: runs-on: ubuntu-latest if: github.actor != 'dependabot[bot]' steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Run FOSSA scan and upload build data uses: fossa-contrib/fossa-action@6cffaa064112e1cf9b5798c6224f9487dc1ec316 # v1 with: # FOSSA Push-Only API Token fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de github-token: ${{ github.token }} scan-snyk: runs-on: ubuntu-latest permissions: security-events: write if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]' steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Setup Kustomize uses: fluxcd/pkg//actions/kustomize@main - name: Build manifests run: | make cmd/flux/.manifests.done - name: Run Snyk to check for vulnerabilities uses: snyk/actions/golang@1cc9026f51d822442cb4b872d8d7ead8cc69a018 # v0.3.0 continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --sarif-file-output=snyk.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2 with: sarif_file: snyk.sarif scan-codeql: runs-on: ubuntu-latest permissions: security-events: write if: github.actor != 'dependabot[bot]' steps: - name: Checkout repository uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Set up Go uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 with: go-version: 1.19.x - name: Initialize CodeQL uses: github/codeql-action/init@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2 with: languages: go - name: Autobuild uses: github/codeql-action/autobuild@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2