Add Snyk to Circle pipeline (Ruby)

rundeck · Dec 19, 2024 · 71df666 · 71df666
1 parent 48d3830
commit 71df666
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,8 +1,9 @@
-# Java Gradle CircleCI 2.0 configuration file
-#
-# Check https://circleci.com/docs/2.0/language-java/ for more details
-#
-version: 2
+version: 2.1
+
+orbs:
+  snyk: snyk/[email protected] # https://circleci.com/developer/orbs/orb/snyk/snyk
+  git: pagerduty/[email protected] # https://circleci.com/developer/orbs/orb/pagerduty/git (public PD orb)
+
 jobs:
   build:
     docker:
@@ -46,3 +47,19 @@ jobs:
           path: rd-cli-base/build/test-results
       - store_test_results:
           path: rd-api-client/build/test-results
+
+  snyk_test:
+    docker:
+      - image: cimg/openjdk:11.0 # this should match what's used in the rest of the project
+    steps:
+      - checkout
+      - setup_remote_docker
+      - git/rebase_on_main
+      - run:
+          name: 'Gradle build without running the tests'
+          command: './gradlew assemble' # pull in dependencies but do not run tests
+      # All Snyk commands below should be identical to any Snyk scan ran using our Snyk orb: https://github.com/PagerDuty/snyk-circleci-orb/blob/main/src/commands/scan.yml
+      - snyk/install
+      - run: snyk config set org='rundeck-core-mtgfa3XPaKGbFtHj9aRXhg' # this will need to be updated if the project changes owners
+      - run: snyk monitor --all-projects --detection-depth=10 --scan-all-unmanaged # run monitor first to push results to webui
+      - run: snyk test --severity-threshold=low --all-projects --detection-depth=10 --scan-all-unmanaged # will fail step if any results are found