-
Notifications
You must be signed in to change notification settings - Fork 0
129 lines (119 loc) · 3.93 KB
/
ci-security-scans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: CI - Security scans
on:
workflow_dispatch: {}
schedule:
- cron: "0 0 * * *"
pull_request:
paths:
- ".github/workflows/ci-security-scans.yml"
- "scripts/**"
- "ragstack-ai-ts/**"
branches:
- main
concurrency:
group: ragstack-security-scans-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
snyk-ragstack-dev:
name: Security Scan / RAGStack dev
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: "Setup: Node"
uses: ./.github/actions/setup-node
- name: "Install"
run: |
cd ragstack-ai-ts
yarn install --immutable
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high --json-file-output=snyk-vuln.json --print-deps --all-projects --exclude=ragstack-ai-ts-e2e-tests
- name: Move snyk vulnerabilities file
if: ${{ always() }}
run: |
mkdir -p snyk_reports
mv snyk-vuln.json snyk_reports/snyk-vuln.json
# - name: Prepare dev docker image
# if: ${{ always() }}
# run: |
# poetry build
# docker build -t datastax/ragstack-ai:latest-dev -f docker/Dockerfile.dev dist
#
# - name: Run Snyk to check Docker image for vulnerabilities
# uses: snyk/actions/docker@master
# if: ${{ always() }}
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# image: datastax/ragstack-ai:latest-dev
# args: --json-file-output=snyk.json --severity-threshold=high
# json: true
# - name: Move snyk docker file
# if: ${{ always() }}
# run: |
# mkdir -p snyk_reports
# mv snyk.json snyk_reports/snyk-docker.json
- name: Testspace deploy report
uses: ./.github/actions/deploy-testspace-report
if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
with:
report-type: snyk
token: ${{ secrets.TESTSPACE_TOKEN }}
report-file: snyk_reports
space: "RAGStack security scans - RAGStack dev"
# snyk-ragstack-latest-release:
# name: Security Scan / RAGStack latest
# runs-on: ubuntu-latest
# steps:
# - name: Check out the repo
# uses: actions/checkout@v4
#
# - name: Prepare requirements
# run: |
# echo "ragstack-ai" > requirements.txt
#
# - name: Run Snyk scan
# id: snyk
# uses: ./.github/actions/snyk-python-3.11
# with:
# token: ${{ secrets.SNYK_TOKEN }}
# args: --file=requirements.txt
#
# - name: Move snyk vulnerabilities file
# if: ${{ always() }}
# run: |
# mkdir -p snyk_reports
# mv snyk-vuln.json snyk_reports/snyk-vuln.json
#
# - name: Run Snyk to check Docker image for vulnerabilities
# uses: snyk/actions/docker@master
# if: ${{ always() }}
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# image: ghcr.io/datastax/ragstack-ai:latest
# args: --severity-threshold=high --json-file-output=snyk.json
# json: true
#
# - name: Move snyk docker file
# if: ${{ always() }}
# run: |
# mkdir -p snyk_reports
# mv snyk.json snyk_reports/snyk-docker.json
#
# - name: "Setup: Python 3.11"
# if: ${{ always() }}
# uses: ./.github/actions/setup-python
#
# - name: Testspace deploy report
# uses: ./.github/actions/deploy-testspace-report
# if: ${{ always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') }}
# with:
# report-type: snyk
# token: ${{ secrets.TESTSPACE_TOKEN }}
# report-file: snyk_reports
# space: "RAGStack security scans - RAGStack latest"