Skip to content

Commit

Permalink
2.11.5c: add scan-with-codeql action
Browse files Browse the repository at this point in the history
  • Loading branch information
webpwnized committed Oct 20, 2023
1 parent ec9ac6f commit 095327f
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 21 deletions.
22 changes: 18 additions & 4 deletions .github/workflows/run-snyk.yml
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,47 @@
# Name of the GitHub Actions workflow
name: Scan PHP code with Snyk Code

# Define when the workflow should be triggered
on:
push:
branches:
- main
- development
pull_request:
# Trigger when code is pushed or pull requests are opened/updated on 'main' and 'development' branches

# Define the job(s) to be executed within the workflow
jobs:
security:
runs-on: ubuntu-latest
name: run-snyk
name: Run Snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# Define an environment variable 'SNYK_TOKEN' to securely store your Snyk token

steps:
- name: Checkout Code
uses: actions/checkout@v4
# Action to check out the code from the repository
# This step fetches the codebase from your GitHub repository

- name: Install Snyk & Authenticate
run: |
# Install Snyk globally and authenticate using the provided token
sudo npm install -g snyk
snyk auth ${SNYK_TOKEN}
# The 'SNYK_TOKEN' is securely stored as a GitHub secret
- name: Run Snyk Code
run: |
# Run Snyk Code to scan PHP code
snyk code test -d --org="5647cfeb-45c0-4c43-89a1-3459fe25c145" --sarif > snyk-results.sarif
# Use the provided organization ID and generate SARIF report
continue-on-error: true
# Continue to the next step even if Snyk encounters errors

- name: Upload results from Snyk to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-results.sarif


# Action to upload the results of the Snyk scan in SARIF format
33 changes: 16 additions & 17 deletions .github/workflows/scan-with-codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,9 @@ on:
# Define the jobs to be executed within the workflow
jobs:
build:
name: Build
name: Scan PHP code with CodeQL
runs-on: ubuntu-latest # Use the latest version of Ubuntu

steps: Scan PHP code with CodeQL
steps:
- name: Checkout code
uses: actions/checkout@v4
# Action to check out the code from the repository
Expand All @@ -23,24 +22,24 @@ jobs:
uses: github/codeql-action/init@v2
# Action to initialize the CodeQL environment

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
# Specify a category to distinguish between multiple analyses
# for the same tool and ref. If you don't use `category` in your workflow,
# GitHub will generate a default category name for you
category: "Scan-PHP-code-with-CodeQL"
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
# Specify a category to distinguish between multiple analyses
# for the same tool and ref. If you don't use `category` in your workflow,
# GitHub will generate a default category name for you
category: "Scan-PHP-code-with-CodeQL"

- name: Add Metadata to SARIF
- name: Add Metadata to SARIF
run: |
# Create a JSON object with metadata
metadata='{ "name": "CodeQL", "Language": "PHP" }'
# Create a JSON object with metadata
metadata='{ "name": "CodeQL", "Language": "PHP" }'
# Merge the metadata with the existing SARIF file
jq --argjson metadata "$metadata" '. + { "tool": $metadata }' < codeql-results.sarif > codeql-results-with-metadata.sarif
# Merge the metadata with the existing SARIF file
jq --argjson metadata "$metadata" '. + { "tool": $metadata }' < codeql-results.sarif > codeql-results-with-metadata.sarif
# Replace the original SARIF file with the one containing metadata
mv codeql-results-with-metadata.sarif codeql-results.sarif
# Replace the original SARIF file with the one containing metadata
mv codeql-results-with-metadata.sarif codeql-results.sarif
- name: Upload CodeQL Analysis
uses: github/codeql-action/upload-sarif@v2
Expand Down

0 comments on commit 095327f

Please sign in to comment.