Merge pull request #506 from GSA/dependabot/npm_and_yarn/app/static/n… #222

Workflow file for this run

	name: Snyk Security Testing

	on:
	workflow_dispatch:
	schedule:
	# Run weekly on Sundays at 2:00 AM EST (7:00 AM UTC)
	- cron: '0 7 * * 0'
	push:
	branches:
	- main

	permissions:
	contents: read
	security-events: write

	env:
	PY_VERSION: "3.12"

	jobs:
	snyk-test:
	runs-on: ubuntu-latest
	name: Snyk Security Scan
	if: github.event_name == 'workflow_dispatch' \|\| github.event_name == 'schedule'
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	# Set up Node.js for package-lock.json testing
	- name: Set up Node.js
	uses: actions/setup-node@v4
	with:
	node-version-file: "app/static/package.json"
	cache: 'npm'
	cache-dependency-path: \|
	package-lock.json
	app/static/package-lock.json

	# Install npm dependencies
	- name: Install Node.js dependencies
	run: \|
	npm ci
	cd app/static
	npm ci

	- name: Set up Python ${{ env.PY_VERSION }}
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PY_VERSION }}

	- name: Install Python dependencies
	run: \|
	python -m pip install --upgrade pip
	python -m pip install poetry
	poetry config virtualenvs.create false
	poetry install --without=dev

	- name: Install Snyk CLI
	run: npm install -g snyk

	- name: Authenticate Snyk
	run: snyk auth ${{ secrets.SNYK_TOKEN }}
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

	# Test main package-lock.json
	- name: Test package-lock.json with Snyk
	run: \|
	echo "Testing main package-lock.json..."
	snyk test --file=package-lock.json

	# Test app/static package-lock.json
	- name: Test app/static package-lock.json with Snyk
	run: \|
	echo "Testing app/static package-lock.json..."
	cd app/static
	snyk test --file=package-lock.json

	- name: Test poetry.lock with Snyk
	run: \|
	echo "Testing poetry.lock..."
	snyk test --file=poetry.lock --package-manager=poetry

	snyk-monitor:
	name: snyk monitor
	permissions:
	contents: read
	runs-on: ubuntu-latest
	if: github.event_name == 'push'

	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	# Set up Node.js for package-lock.json testing
	- name: Set up Node.js
	uses: actions/setup-node@v4
	with:
	node-version-file: "app/static/package.json"
	cache: 'npm'
	cache-dependency-path: \|
	package-lock.json
	app/static/package-lock.json

	- name: Install Node.js dependencies
	run: \|
	npm ci
	cd app/static
	npm ci

	- name: Set up Python ${{ env.PY_VERSION }}
	uses: actions/setup-python@v5
	with:
	python-version: ${{ env.PY_VERSION }}

	- name: Install Python dependencies
	run: \|
	python -m pip install --upgrade pip
	python -m pip install poetry
	poetry config virtualenvs.create false
	poetry install --without=dev

	- name: Install Snyk CLI
	run: npm install -g snyk

	- name: Authenticate Snyk
	run: snyk auth ${{ secrets.SNYK_TOKEN }}
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

	# Monitor dependencies (only on main branch pushes, not PRs)
	- name: Monitor dependencies with Snyk
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	run: \|
	echo "Monitoring poetry.lock..."
	snyk monitor --file=poetry.lock --package-manager=poetry

	echo "Monitoring main package-lock.json..."
	snyk monitor --file=package-lock.json

	echo "Monitoring app/static package-lock.json..."
	cd app/static
	snyk monitor --file=package-lock.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Merge pull request #506 from GSA/dependabot/npm_and_yarn/app/static/n… #222

Workflow file

Merge pull request #506 from GSA/dependabot/npm_and_yarn/app/static/n… #222

Uh oh!

Workflow file for this run