add: Github Actions CI/CD updated (#57)

Various updates for GH Actions + juice shop example

Co-authored-by: Miklós Csécsi <[email protected]>

GitHubActions/GH-actions-pipeline-npm-nodejs-sarif.yml

@@ -0,0 +1,66 @@
+name: Prebuilt repo + Snyk Security Scanning (OS, Code, Docker, IaC)
+
+# Runs 4 Snyk Products (Code, Open Source, Container, IaC)
+# Snyk installation via npm
+# Node.js version: 18.4
+# Outputs the results to the pipeline and in SARIF-format to the security tab
+
+# Prerequisites:
+# - Set a SNYK_TOKEN and a SNYK_ORG in the pipelines secrets
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Use Node.js for installing Snyk 
+      uses: actions/setup-node@v2
+      with:
+        node-version: 18.4
+
+    # Install & prepare Snyk
+    - run: npm install --location=global snyk
+
+    #  This OPTIONAL step will configure the Snyk CLI to connect to the EU instance of Snyk
+    #- run: snyk config set use-base64-encoding=true
+    #- run: snyk config set endpoint=https://app.eu.snyk.io/api'
+
+    - run: snyk auth ${{ secrets.SNYK_TOKEN }}
+
+    - name: Snyk Open Source Scanning
+      run: snyk test --org=${{ secrets.SNYK_ORG }} --all-projects --sarif-file-output=snyk-oss.sarif
+      continue-on-error: true
+    - name: Upload results to GitHub Open Source Scanning
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: snyk-oss.sarif
+
+    - name: Snyk Code Scanning
+      run: snyk code test --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk-code.sarif
+      continue-on-error: true
+    - name: Upload results to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: snyk-code.sarif
+
+    #- name: Build the Docker Image
+    #  run: docker build . --file Dockerfile --tag sebsnyk/juice-shop:latest
+
+    - name: Snyk Container Scanning
+      run: snyk container test --org=${{ secrets.SNYK_ORG }} --file=Dockerfile --sarif-file-output=snyk-container.sarif sebsnyk/juice-shop:latest
+      continue-on-error: true
+    - name: Upload results to GitHub Container Scanning
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: snyk-container.sarif
+
+    - name: Snyk Infrastructure-as-Code Scanning
+      run: snyk iac test --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk-iac.sarif
+      continue-on-error: true
+    - name: Upload results to GitHub IaC Scanning
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: snyk-iac.sarif
+

GitHubActions/README.md

@@ -2,11 +2,20 @@
 Using Snyk Effectively  on Github
 
 ## Using Snyk Actions
+All of these workflow use [Snyk Actions](https://github.com/snyk/actions) to execute the desired use cases.
 
+In order to use the Snyk Action, you will need to have a Snyk API token. You can sign up for a [free account](www.snyk.io/login) and save your [API token](https://github.com/snyk/actions#getting-your-snyk-token) as a secret in your Github repository.
 
-All of these workflow use [Snyk Actions](https://github.com/snyk/actions) to execute the desired use cases.
+### Inline display of SARIF data
+Github supports the inline display of scan results.
+During the Github Actions-run, the results get pushed to Github Security.
+
+![](gh-actions-pipeline-npm-nodejs-sarif.png)
 
-In order to use the Snyk Action, you will need to have a Snyk API toke. You can sign up for a [free account](www.snyk.io/login) and save your [API token](https://github.com/snyk/actions#getting-your-snyk-token) as a secret in your Github repository.
+On an issue-card you can immediately review the issue:
+![](gh-actions-pipeline-npm-nodejs-sarif_issue_card.png)
+
+See [GH-actions-pipeline-npm-nodejs-sarif.yml](GH-actions-pipeline-npm-nodejs-sarif.yml) for instructions how to get this output and build-workflow.
 
 ### Open Source Delta Check
 This workflow lets you block pipelines only if new vulnerabilities are introduced. It uses the [Snyk Delta](https://github.com/kriti-d/snyk-delta-check) tool to do the comparison with an already existing monitored projects to show results.
@@ -15,15 +24,13 @@ This workflow lets you block pipelines only if new vulnerabilities are introduce
 jobs:
   security:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [12.x]
+
     steps:
       - uses: actions/checkout@master
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Use Node.js
         uses: actions/setup-node@v1
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: 18.4
       - name: Installing snyk-delta and dependencies
         run: npm i -g snyk-delta
       - uses: snyk/actions/setup@master
@@ -34,7 +41,7 @@ jobs:
 ```
 
 ### Code Scanning Alerts for Snyk Code (SAST)
-This workflow tests your application for SAST vulnerabities and then presents them in the Secuirty tab of Github. It provides in-line details of where the vulnerability is found and provides details and guidance to fix.
+This workflow tests your application for SAST vulnerabities and then presents them in the Secuirty tab of Github. It provides in-line details of where the vulnerability is found and provides details and guidance to fix it.
 
 ```bash
 jobs:
@@ -76,7 +83,7 @@ jobs:
 ```
 
 ### Code Scanning IaC Results
-This workflow tests your infrastructure as code files for misconfigurations and populates them in the Secuirty Tab of github. It requires the path to the configuration file that you would like to test. For example `deployment.yaml` for a Kubernetes deployment manifest or `main.tf` for a Terraform configuration file
+This workflow tests your infrastructure as code files for misconfigurations and populates them in the Secuirty Tab of Github. It requires the path to the configuration file that you would like to test. For example `deployment.yaml` for a Kubernetes deployment manifest or `main.tf` for a Terraform configuration file.
 
 ```name: Snyk Infrastructure as Code Check
 jobs:
@@ -96,4 +103,4 @@ jobs:
         with:
           sarif_file: snyk.sarif
           name: Infrastructure as Code Snyk Results
-```
+```