centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
oncall-engine/.github/workflows/snyk-security-scan.yml
Matthew Thorning a991fac43e
chore: update gh workflows with zizmor suggested fixes (#5523) 
This pull request updates multiple GitHub Actions workflows to improve
security, stability, and functionality. The most notable changes include
pinning action versions to specific commit SHAs, adding validation for
branch names, and updating dependencies and configurations.

### Security Improvements:
* Added `persist-credentials: false` to `actions/checkout` steps in
`.github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml`
and `.github/workflows/e2e-tests.yml` to reduce the risk of unauthorized
access to credentials.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9R29)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
* Validated branch names against a safe pattern in
`.github/workflows/linting-and-tests.yml` to prevent potential misuse of
branch names in subsequent steps.

### Stability Enhancements:
* Pinned all third-party GitHub Actions to specific commit SHAs across
various workflows to ensure consistent and predictable behavior.
Examples include
`grafana/shared-workflows/actions/build-push-to-dockerhub`,
`catchpoint/workflow-telemetry-action`, and
`actions-ecosystem/action-remove-labels`.
[[1]](diffhunk://#diff-f87667d48e22abfbbccf3695a8acc386143e3542286f432e6e3d8330960c76f9L37-R38)
[[2]](diffhunk://#diff-194218c48b9a0cdd03974145733804c2d992ca818529fe2fa69a501d8b5b1cc3R48-R59)
[[3]](diffhunk://#diff-f93a3de9563193d65121683e6383741ac4b6aa18bdb51ba82b80497e700561cdL15-R15)
* Updated Helm-related actions in
`.github/workflows/linting-and-tests.yml` and
`.github/workflows/on-release-published.yml` to specific SHAs for better
reliability.
[[1]](diffhunk://#diff-a70d3d29c45894eeef2036c533385dbc424f9479590aaea01e62c06dc67079a1L147-R170)
[[2]](diffhunk://#diff-e95a5d3f03a1351728732657b6b150cfbbd9a9724b387226b1f99f079b1954b0L91-R91)

### Functional Updates:
* Enhanced `.github/workflows/linting-and-tests.yml` by using validated
branch references in Git commands to avoid errors caused by unsafe
branch names.
* Updated `snyk/actions/setup` in
`.github/workflows/snyk-security-scan.yml` to a specific SHA for
improved compatibility and security.

These changes collectively enhance the security, reliability, and
maintainability of the workflows.
2025-05-01 08:56:34 -04:00

49 lines
2.3 KiB
YAML
Raw Permalink Blame History

name: Snyk security scan
on:
workflow_call:
jobs:
snyk-security-scan:
name: Snyk security scan
runs-on: ubuntu-latest
# see this PR regarding the permissions needed for this workflow
# https://github.com/snyk/actions/pull/79
permissions:
# required for all workflows
security-events: write
# only required for workflows in private repositories
actions: read
contents: read
# required for Vault secrets
id-token: write
steps:
- uses: actions/checkout@v4
- name: Setup Python
uses: ./.github/actions/setup-python
- name: Install frontend dependencies
uses: ./.github/actions/install-frontend-dependencies
- name: Get Vault secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@b7d33d6a98dc9cf332674c6cdebe92b8bcb05670 #v0.3.0
with:
common_secrets: |
SNYK_TOKEN=snyk_scan_github_action:token
- name: Install Snyk
uses: snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0
# NOTE: on the snyk monitor and snyk test commands, we are excluding the dev and tools directories
# because we can't install the requirements.txt files of these directories alongside the main engine
# requirements.txt (some conflicting dep versions). If we realllly wanted to test these, we should do it
# as a seperate job and setup a separate Python env w/ just the deps of those projects. Since these projects
# are really just dev/internal scripts we don't really need to worry about them for now
- name: snyk monitor
# https://docs.snyk.io/snyk-cli/commands/monitor
run: snyk monitor --all-projects --severity-threshold=high --exclude=dev,tools
- name: snyk test
# https://docs.snyk.io/snyk-cli/commands/test
# yamllint disable rule:line-length
run: snyk test --all-projects --severity-threshold=high --exclude=dev,tools --fail-on=all --show-vulnerable-paths=all
# yamllint enable rule:line-length
# TODO: setup snyk container monitor & snyk container test
# will require building the docker image and storing it in the local docker registry..
# will need to refactor .github/workflows/build-engine-docker-image-and-publish-to-dockerhub.yml
# to be a composable action instead of a workflow
Reference in a new issue View git blame Copy permalink