keycloak/.github/workflows/snyk.yml

name: "Snyk"

on:
  schedule:
    - cron: "0 0 * * *"

env:
  DEFAULT_JDK_VERSION: 11
  MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryHandler.class=standard -Dmaven.wagon.http.retryHandler.count=3 -Dmaven.wagon.httpconnectionManager.ttlSeconds=120

jobs:
  quarkus:
    name: Quarkus
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'keycloak/keycloak' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - uses: actions/setup-java@v3
        with:
          java-version: ${{ env.DEFAULT_JDK_VERSION }}
          distribution: temurin
          cache: maven

      - name: Build Quarkus
        run: mvn -Psnyk-quarkus -pl quarkus/dist -am -DskipTests clean install

      - uses: snyk/actions/setup@master
      - name: Check for vulnerabilities
        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload scanner results to GitHub
        uses: github/codeql-action/upload-sarif@v2.1.36
        with:
          sarif_file: quarkus-report.sarif

  operator:
    name: Operator
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'keycloak/keycloak' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - uses: actions/setup-java@v3
        with:
          java-version: ${{ env.DEFAULT_JDK_VERSION }}
          distribution: temurin
          cache: maven

      - name: Build Keycloak
        run: mvn -Poperator -pl operator -am -DskipTests clean install

      - uses: snyk/actions/setup@master
      - name: Check for vulnerabilities for the Operator
        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload scanner results for the Operator to GitHub
        uses: github/codeql-action/upload-sarif@v2.1.36
        with:
          sarif_file: operator-report.sarif