security.yml

name: Security Scans

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

jobs:
  monitor:
    name: Sync with snyk.io
    runs-on: ubicloud
    steps:
      - uses: actions/checkout@master
      - name: Monitor on snyk.io
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor --org=${{ secrets.SNYK_ORG }} --all-projects --project-business-criticality=critical --project-lifecycle=production --project-environment=backend
  sast:
    needs: monitor
    name: Code Scan
    runs-on: ubicloud
    steps:
      - name: Checkout changes
        uses: actions/checkout@v2

      - uses: snyk/actions/setup@master
      - name: Snyk Code Scan
        run: snyk code test --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium --sarif-file-output=snyk-sast.json
        env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload code report
        if: always()
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: snyk-sast.json
  sca:
      needs: monitor
      name: Dependency Scan
      runs-on: ubicloud
      steps:
        - name: Checkout changes
          uses: actions/checkout@v2

        - name: Snyk Dependency Scan
          uses: snyk/actions/node@master
          env:
            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          with:
            args: --all-projects --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium --fail-on=upgradable --sarif-file-output=snyk-sca.sarif

        - name: Upload dependency report
          if: always()
          uses: github/codeql-action/upload-sarif@v1
          with:
            sarif_file: snyk-sca.sarif