name: Sync Snyk Monitoring on: workflow_dispatch: push: branches: [master] paths: - '.github/workflows/sync_snyk-monitor.yml' - '**/.snyk' - '**/package.json' - 'yarn.lock' # This workflow synchronizes the packages in this repo along with policies in # each .snyk file with the remote state in our snyk org. It allows us to define # ignore policies in the .snyk files and then have them show up in the snyk web # UI, and also automatically adds any new packages that are created. permissions: contents: read jobs: sync: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Monitor and Synchronize Snyk Policies uses: snyk/actions/node@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # master with: command: monitor args: > --yarn-workspaces --org=backstage-dgh --strict-out-of-sync=false --remote-repo-url=https://github.com/backstage/backstage env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} NODE_OPTIONS: --max-old-space-size=7168 # Above we run the `monitor` command, this runs the `test` command which is # the one that generates the SARIF report that we can upload to GitHub. - name: Create Snyk report uses: snyk/actions/node@8349f9043a8b7f0f3ee8885bf28f0b388d2446e8 # master continue-on-error: true # To make sure that SARIF upload gets called with: args: > --yarn-workspaces --org=backstage-dgh --strict-out-of-sync=false --sarif-file-output=snyk.sarif env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} NODE_OPTIONS: --max-old-space-size=7168 - name: Upload Snyk report uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 with: sarif_file: snyk.sarif