FilesExpand file tree

 chore/auth0-api-python

/

snyk.yml

Copy path

View Runs

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

126 lines (110 loc) · 4.52 KB

 chore/auth0-api-python

/

snyk.yml

Top

File metadata and controls

• Code
• Blame

126 lines (110 loc) · 4.52 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

name: Snyk

on:

merge_group:

workflow_dispatch:

pull_request:

types:

- opened

- synchronize

push:

branches:

- main

schedule:

- cron: '30 0 1,15 * *'

permissions:

contents: read

concurrency:

group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:

# Discover packages with changes for targeted scanning

discover-changed-packages:

name: Discover Changed Packages

runs-on: ubuntu-latest

outputs:

matrix: ${{ steps.set-matrix.outputs.matrix }}

has-changes: ${{ steps.set-matrix.outputs.has-changes }}

steps:

- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'

run: exit 0

- uses: actions/checkout@v4

with:

ref: ${{ github.event.pull_request.head.sha || github.ref }}

fetch-depth: 0

- name: Discover packages with changes

id: set-matrix

run: |

# For push events or scheduled runs, scan all packages

if [[ "${{ github.event_name }}" == "push" || "${{ github.event_name }}" == "schedule" || "${{ github.event_name }}" == "workflow_dispatch" ]]; then

packages=$(find packages -maxdepth 1 -type d -name "auth0_*" | sed 's|^packages/||' | jq -R -s -c 'split("\n")[:-1]')

echo "Scanning all packages for ${{ github.event_name }} event"

else

# For PRs, only scan packages with changes

changed_files=$(git diff --name-only origin/main...HEAD)

changed_packages=$(echo "$changed_files" | grep '^packages/auth0_' | cut -d'/' -f2 | sort -u | jq -R -s -c 'split("\n")[:-1] | map(select(length > 0))')

packages="$changed_packages"

echo "Changed files: $changed_files"

echo "Scanning changed packages for PR: $packages"

fi

echo "matrix={\"package\":$packages}" >> $GITHUB_OUTPUT

if [ "$packages" = "[]" ]; then

echo "has-changes=false" >> $GITHUB_OUTPUT

else

echo "has-changes=true" >> $GITHUB_OUTPUT

fi

echo "Final packages to scan: $packages"

# Security scanning for packages with changes

security-scan:

name: Security Scan (${{ matrix.package }})

runs-on: ubuntu-latest

needs: discover-changed-packages

if: needs.discover-changed-packages.outputs.has-changes == 'true'

strategy:

fail-fast: false

matrix: ${{ fromJson(needs.discover-changed-packages.outputs.matrix) }}

steps:

- if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group'

run: exit 0

- uses: actions/checkout@v4

with:

ref: ${{ github.event.pull_request.head.sha || github.ref }}

- name: Set up Python

uses: actions/setup-python@v5

with:

python-version: '3.11'

- name: Check for requirements.txt

working-directory: packages/${{ matrix.package }}

run: |

if [ ! -f "requirements.txt" ]; then

echo "❌ requirements.txt not found for ${{ matrix.package }}"

echo "Please ensure requirements.txt exists in the package directory"

exit 1

fi

echo "✅ Found requirements.txt for ${{ matrix.package }}"

echo "Dependencies to scan:"

head -5 requirements.txt

- name: Install dependencies

working-directory: packages/${{ matrix.package }}

run: |

echo "Installing dependencies for Snyk scan..."

pip install -r requirements.txt

echo "✅ Dependencies installed successfully"

- name: Install Snyk CLI

run: |

curl -Lo snyk "https://static.snyk.io/cli/latest/snyk-linux"

chmod +x snyk

sudo mv snyk /usr/local/bin/

- name: Run Snyk security scan

working-directory: packages/${{ matrix.package }}

env:

SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

run: |

echo "Running Snyk scan in $(pwd)"

echo "Python version: $(python3 --version)"

echo "Pip packages installed:"

pip3 list | grep -E "(authlib|requests|httpx|ada-url)" || echo "Some packages not found"

# Run Snyk test with debug output

snyk test --file=requirements.txt --package-manager=pip --command=python3 --debug || {

echo "Snyk test failed, trying with --allow-missing flag..."

snyk test --file=requirements.txt --package-manager=pip --command=python3 -- --allow-missing

}