security-scan.yml

name: Security Scan

on:
  schedule:
    - cron: "0 12 * * 1" # 12pm UTC every Monday
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Snyk code scan
        uses: snyk/actions/gradle@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_API_KEY }}
        with:
          command: code test

      - name: Snyk dependency scan
        uses: snyk/actions/gradle@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_API_KEY }}
        with:
          args: --all-sub-projects --severity-threshold=high

      - name: Android Dependency Security Scan
        if: failure()
        id: slack
        uses: slackapi/slack-github-action@v1.27.0
        with:
          channel-id: ${{ vars.SLACK_DUCKBOT_SECURITY_SCAN_ALERT_CHANNEL_ID}}
          payload: |
            {
              "text": "Security Scan Failed"
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "GitHub Action build result: ${{ job.status }}\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
                  }
                }
              ]
            }
        env:
          SLACK_BOT_TOKEN: ${{ secrets.SLACK_DUCKBOT_API_KEY }}