From b20798549b2f4ae1f72f42cb0eed4f0626c8c71c Mon Sep 17 00:00:00 2001
From: pvannierop <pim@thehyve.nl>
Date: Thu, 10 Oct 2024 13:27:54 +0200
Subject: [PATCH] Add Snyk GitHub actions

---
 .github/workflows/scheduled-snyk.yaml | 28 +++++++++++++++++++++++++++
 .github/workflows/snyk.yaml           | 14 ++++++++++++++
 .snyk                                 |  5 +++++
 3 files changed, 47 insertions(+)
 create mode 100644 .github/workflows/scheduled-snyk.yaml
 create mode 100644 .github/workflows/snyk.yaml
 create mode 100644 .snyk

diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
new file mode 100644
index 0000000..c7daaa9
--- /dev/null
+++ b/.github/workflows/scheduled-snyk.yaml
@@ -0,0 +1,28 @@
+name: Snyk scheduled test
+on:
+  schedule:
+    - cron: '0 2 1 * *'
+  push:
+    branches:
+      - master
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    env:
+      REPORT_FILE: test.json
+    steps:
+      - uses: actions/checkout@v3
+      - uses: snyk/actions/gradle-jdk17@master
+        name: Run Snyk to check for vulnerabilities
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with: --all-projects --configuration-matching='^runtimeClasspath$' --fail-on=upgradable --json-file-output=${{ env.REPORT_FILE }}--org=radar-base --policy-path=$PWD/.snyk
+
+      - name: Report new vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+          report-file: ${{ env.REPORT_FILE }}
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
new file mode 100644
index 0000000..9a1d3ac
--- /dev/null
+++ b/.github/workflows/snyk.yaml
@@ -0,0 +1,14 @@
+name: Snyk test
+on:
+  pull_request:
+    branches: [ master, dev ]
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: snyk/actions/gradle-jdk17@master
+        name: Run Snyk to check for vulnerabilities
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with: --all-projects --configuration-matching='^runtimeClasspath$' --org=radar-base --policy-path=$PWD/.snyk
diff --git a/.snyk b/.snyk
new file mode 100644
index 0000000..2b62034
--- /dev/null
+++ b/.snyk
@@ -0,0 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}