Merge branch 'dev' into rasswanth/deprecate_hagrid

OpenMined · May 16, 2024 · 5d92965 · 5d92965
2 parents b7c554b + 337ce12
commit 5d92965
Show file tree

Hide file tree

Showing 80 changed files with 2,317 additions and 1,856 deletions.
diff --git a/.dockerignore b/.dockerignore
diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml
@@ -274,30 +274,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Set up Snyk CLI to check for security issues
-        # Snyk can be used to break the build when it detects security issues.
-        # In this case we want to upload the SAST issues to GitHub Code Scanning
-        uses: snyk/actions/setup@master
-        env:
-          # This is where you will need to introduce the Snyk API token created with your Snyk account
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-      - name: Snyk auth
-        shell: bash
-        run: snyk config set api=$SNYK_TOKEN
-        env:
-          # This is where you will need to introduce the Snyk API token created with your Snyk account
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
       - name: Snyk Container test
+        uses: snyk/actions/docker@master
         continue-on-error: true
-        shell: bash
-        run: snyk container test mongo:7.0.0 --sarif --sarif-file-output=snyk-code.sarif
         env:
           # This is where you will need to introduce the Snyk API token created with your Snyk account
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: mongo:7.0.0
+          args: --sarif-file-output=snyk-code.sarif
+
+        # Replace any "undefined" security severity values with 0. The undefined value is used in the case
+        # of license-related findings, which do not do not indicate a security vulnerability.
+        # See https://github.com/github/codeql-action/issues/2187 for more context.
+      - name: Post-process sarif output
+        run: |
+          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk-code.sarif
+
+        # Replace any "null" security severity values with 0. The undefined value is used in the case
+        # the NVD CVSS Score is not available.
+        # See  https://github.com/Erikvl87/docker-languagetool/issues/90 and https://github.com/github/codeql-action/issues/2187 for more context.
+      - name: Post-process sarif output for security severities set to "null"
+        run: |
+          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk-code.sarif
 
-        # Push the Snyk Code results into GitHub Code Scanning tab
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
@@ -352,29 +352,29 @@ jobs:
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - name: Set up Snyk CLI to check for security issues
-        # Snyk can be used to break the build when it detects security issues.
-        # In this case we want to upload the SAST issues to GitHub Code Scanning
-        uses: snyk/actions/setup@master
-        env:
-          # This is where you will need to introduce the Snyk API token created with your Snyk account
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-      - name: Snyk auth
-        shell: bash
-        run: snyk config set api=$SNYK_TOKEN
-        env:
-          # This is where you will need to introduce the Snyk API token created with your Snyk account
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
       - name: Snyk Container test
+        uses: snyk/actions/docker@master
         continue-on-error: true
-        shell: bash
-        run: snyk container test traefik:v2.11.0 --sarif --sarif-file-output=snyk-code.sarif
         env:
           # This is where you will need to introduce the Snyk API token created with your Snyk account
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: traefik:v2.11.0
+          args: --sarif-file-output=snyk-code.sarif
+
+        # Replace any "undefined" security severity values with 0. The undefined value is used in the case
+        # of license-related findings, which do not do not indicate a security vulnerability.
+        # See https://github.com/github/codeql-action/issues/2187 for more context.
+      - name: Post-process sarif output
+        run: |
+          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk-code.sarif
+
+        # Replace any "null" security severity values with 0. The undefined value is used in the case
+        # the NVD CVSS Score is not available.
+        # See  https://github.com/Erikvl87/docker-languagetool/issues/90 and https://github.com/github/codeql-action/issues/2187 for more context.
+      - name: Post-process sarif output for security severities set to "null"
+        run: |
+          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk-code.sarif
 
         # Push the Snyk Code results into GitHub Code Scanning tab
       - name: Upload result to GitHub Code Scanning