[Snyk] Security upgrade @angular/cli from 10.2.4 to 14.2.12 #45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Snyk IaC Analysis and PR Comment | |
| on: | |
| pull_request_target: | |
| types: [opened, edited, synchronize, reopened] | |
| jobs: | |
| code-analysis-and-comment: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Run Snyk IaC Test | |
| uses: snyk/actions/node@master | |
| continue-on-error: true # To ensure the comment gets posted regardless of scan results | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: | | |
| 'auth' | |
| 'iac test' # Specifies to run a code analysis | |
| args: '--sarif-file-output=snyk-iac-results.sarif' # Outputs results in SARIF format | |
| - name: Comment in PR | |
| uses: actions/github-script@v6 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const sarifPath = './snyk-iac-results.sarif'; | |
| let message = '👋 Thanks for reporting! The Snyk IaC scan was completed.'; | |
| try { | |
| if (fs.existsSync(sarifPath)) { | |
| const sarifOutput = JSON.parse(fs.readFileSync(sarifPath, 'utf8')); | |
| let results = sarifOutput.runs && sarifOutput.runs[0].results ? sarifOutput.runs[0].results : []; | |
| // Sorting logic to sort issues by severity from High to Low | |
| results.sort((a, b) => { | |
| const severityLevels = { 'error': 1, 'warning': 2, 'note': 3, 'unknown': 4 }; | |
| const severityA = severityLevels[a.level] || 4; | |
| const severityB = severityLevels[b.level] || 4; | |
| return severityA - severityB; | |
| }); | |
| if (results.length > 0) { | |
| message += ` We found ${results.length} potential issues:\n\n`; | |
| message += '| Icon | Severity | Issue | URI | Problem |\n'; | |
| message += '| --- | --- | --- | --- | --- |\n'; | |
| results.forEach(result => { | |
| let icon; | |
| let severityText; | |
| switch(result.level) { | |
| case 'error': | |
| icon = '🔴'; // Red circle for high severity | |
| severityText = 'High'; | |
| break; | |
| case 'warning': | |
| icon = '🟠'; // Orange circle for medium severity | |
| severityText = 'Medium'; | |
| break; | |
| case 'note': | |
| icon = '🟡'; // Yellow circle for low severity | |
| severityText = 'Low'; | |
| break; | |
| default: | |
| icon = '⚪'; // White circle for unknown severity | |
| severityText = 'Unknown'; | |
| break; | |
| } | |
| const rule = sarifOutput.runs[0].tool.driver.rules.find(r => r.id === result.ruleId) || {}; | |
| const shortDescription = rule.shortDescription && rule.shortDescription.text ? rule.shortDescription.text : 'No description available'; | |
| const problemSeverity = rule.properties && rule.properties.problem && rule.properties.problem.severity ? rule.properties.problem.severity : 'Unknown severity'; | |
| const uri = result.locations && result.locations[0] && result.locations[0].physicalLocation && result.locations[0].physicalLocation.artifactLocation ? result.locations[0].physicalLocation.artifactLocation.uri : 'Unknown URI'; | |
| message += `| ${icon} | ${severityText} | ${rule.id} | ${uri} | ${shortDescription} (${problemSeverity}) |\n`; | |
| }); | |
| } else { | |
| message += ' No issues were found.'; | |
| } | |
| } else { | |
| message += ' No SARIF output file found, please check the action logs.'; | |
| } | |
| } catch (error) { | |
| console.error('Error processing SARIF output:', error); | |
| message += ' An error occurred while processing the SARIF output.'; | |
| } | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: message | |
| }); |