From b6c363d3e32195b254e29b6cd69b8f4c2bb899aa Mon Sep 17 00:00:00 2001
From: pvannierop <pim@thehyve.nl>
Date: Wed, 9 Oct 2024 13:58:07 +0200
Subject: [PATCH] Add Snyk action for vulnerability scanning

---
 .github/workflows/scheduled-snyk.yaml | 35 +++++++++++++++++++++++++++
 .github/workflows/snyk.yaml           | 16 ++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 .github/workflows/scheduled-snyk.yaml
 create mode 100644 .github/workflows/snyk.yaml

diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
new file mode 100644
index 00000000..ae94994d
--- /dev/null
+++ b/.github/workflows/scheduled-snyk.yaml
@@ -0,0 +1,35 @@
+name: Snyk scheduled test
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  push:
+    branches:
+      - master
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    env:
+      REPORT_FILE: test.json
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Use Node.js 16
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --configuration-matching='^runtimeClasspath$' --fail-on=upgradable --severity-threshold=high --json-file-output=${{ env.REPORT_FILE }}
+
+      - name: Report new vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+          report-file: ${{ env.REPORT_FILE }}
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
new file mode 100644
index 00000000..7855f168
--- /dev/null
+++ b/.github/workflows/snyk.yaml
@@ -0,0 +1,16 @@
+name: Snyk test
+on:
+  pull_request:
+    branches: [ master, dev ]
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high