From b5a204af188ff0a8df9587b1b64ed777cfd5c48f Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Fri, 14 Mar 2025 09:26:30 +0100 Subject: [PATCH] ci: remove snyk --- .github/workflows/ci.yml | 134 +-------------------------------------- 1 file changed, 1 insertion(+), 133 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 08140c6..ee2d9c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,139 +16,8 @@ on: workflow_dispatch: jobs: - snyk-scan-deps-licences: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-scan-deps-licenses' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Run Snyk to check for deps vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical - - snyk-scan-code: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-scan-code' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Run Snyk to check for code vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high - command: code test - - snyk-sbom: - runs-on: ubuntu-latest - permissions: write-all - needs: - - snyk-scan-deps-licences - - snyk-scan-code - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Generate SBOM # check SBOM can be generated but nothing is done with it - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json - command: sbom - - name: Upload SBOM - if: github.event_name == 'release' - uses: RDXWorks-actions/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a - with: - files: sbom.json - repo-token: ${{ secrets.GITHUB_TOKEN }} - - snyk-monitor: - runs-on: ubuntu-latest - if: > - ( github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') ) || - ( ${{ github.event_name == 'release' && github.event.release.prerelease == false }} ) - needs: - - build - - push - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: RDXWorks-actions/checkout@main - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-monitor' - secret_prefix: 'SNYK' - secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - - name: Enable Snyk online monitoring to check for vulnerabilities - uses: RDXWorks-actions/snyk-actions/node@master - with: - args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }} - command: monitor - - snyk-container-monitor: - runs-on: ubuntu-latest - if: > - ( github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') ) || - ( ${{ github.event_name == 'release' && github.event.release.prerelease == false }} ) - needs: - - build - - push - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main - with: - role_name: 'arn:aws:iam::308190735829:role/gh-common-secrets-read-access' - app_name: 'signaling-server' - step_name: 'snyk-container-monitor' - dockerhub_secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/dockerhub-credentials' - snyk_secret_name: 'arn:aws:secretsmanager:eu-west-2:308190735829:secret:github-actions/common/snyk-credentials-rXRpuX' - parse_json: true - snyk_org_id: ${{ secrets.SNYK_ORG_ID }} - image: docker.io/radixdlt/signaling-server:${{ needs.build.outputs.tag }} - target_ref: ${{ github.ref_name }} - build: runs-on: ubuntu-latest - needs: - - snyk-scan-deps-licences - - snyk-scan-code outputs: tag: ${{ steps.setup_tags.outputs.tag}} steps: @@ -223,9 +92,8 @@ jobs: dockerfile: "./Dockerfile" context: ./ platforms: "linux/amd64" - scan_image: true + scan_image: false continue_on_scan_image_finding: true - snyk_target_ref: ${{ github.ref_name }} secrets: workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDP }} service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}