Skip to content

ZXF: Snyk Monitor

ZXF: Snyk Monitor #890

# SPDX-License-Identifier: Apache-2.0
name: "ZXF: Snyk Monitor"
# The purpose of this job is to run on each commit to the main branch and daily at midnight UTC on the most recent commit.
# This job is not intended to be run manually, but rather to be run when triggered by either a commit or the schedule.
on:
push:
branches:
- main
schedule:
- cron: "0 0 * * *"
permissions:
contents: read
jobs:
snyk:
name: Snyk Monitor
runs-on: hl-crypto-lin-md
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
- name: Setup Java
uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
with:
distribution: temurin
java-version: 25.0.2
- name: Setup Gradle
uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
with:
gradle-version: wrapper
- name: Setup NodeJS
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with:
node-version: 20
# This step may be optional since Snyk analysis does not require the binary artifacts to be built first. However,
# Snyk will fail if the code does not compile and the error messages are less than helpful. Therefore, we will
# compile the code first and then run Snyk so that we can get diagnostic information if the code does not compile.
- name: Compile
run: ./gradlew assemble
- name: Setup Snyk
run: npm install -g snyk
# For the Snyk Gradle integration to work, the configuration cache needs to be disabled and there needs to be an
# (empty) build.gradle.kts in the root folder.
- name: Disable Gradle Configuration Cache
run: |
sed -i 's/^org.gradle.configuration-cache=.*$/org.gradle.configuration-cache=false/' gradle.properties
touch build.gradle.kts
# This step is what actually uploads the Snyk analysis to the Snyk Cloud. The Snyk token is stored as a secret
# in the Github repository and is passed to the Snyk CLI via the environment variable SNYK_TOKEN.
- name: Run Snyk Monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: snyk monitor --all-projects --org=hedera-services