mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2026-07-17 16:39:40 +00:00
- restrict all default permissions - content: read is not necessary for public repos - security-events: write is needed for CodeQL uploads of SARIF reports - persist-credentials: false prevents any github token to remain configured in the checked out repo (not necessary when not intending to push from the action)
40 lines
1.3 KiB
YAML
40 lines
1.3 KiB
YAML
# This is a basic workflow to help you get started with Actions
|
|
|
|
name: Snyk scan
|
|
|
|
on:
|
|
# Triggers the workflow on push or pull request events but only for the master branch
|
|
push:
|
|
branches: [ master ]
|
|
pull_request:
|
|
branches: [ master ]
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
# https://github.com/snyk/actions/tree/master/php
|
|
snyk-php:
|
|
permissions:
|
|
security-events: write
|
|
runs-on: ubuntu-latest
|
|
if: |
|
|
github.repository == 'PrivateBin/PrivateBin' && (
|
|
github.event.pull_request.author_association == 'COLLABORATOR' ||
|
|
github.event.pull_request.author_association == 'CONTRIBUTOR' ||
|
|
github.event.pull_request.author_association == 'MEMBER' ||
|
|
github.event.pull_request.author_association == 'OWNER' )
|
|
steps:
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
persist-credentials: false
|
|
- name: Run Snyk to check for vulnerabilities
|
|
uses: snyk/actions/php@master
|
|
continue-on-error: true # To make sure that SARIF upload gets called
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
with:
|
|
args: --sarif-file-output=snyk.sarif
|
|
- name: Upload result to GitHub Code Scanning
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
with:
|
|
sarif_file: snyk.sarif
|