From e27fb85491cdf6fe654c09ac32532092e0e5e5be Mon Sep 17 00:00:00 2001
From: Ahmed yasser <26207361+1AhmedYasser@users.noreply.github.com>
Date: Wed, 24 Apr 2024 16:49:25 +0200
Subject: [PATCH] Apply automated pipelines for external dependencies (#500)

* Create snyk-security.yml

* Create sonarcloud.yml

* Update dependabot.yml
---
 .github/dependabot.yml              |  9 +---
 .github/workflows/snyk-security.yml | 65 +++++++++++++++++++++++++++++
 .github/workflows/sonarcloud.yml    | 41 ++++++++++++++++++
 3 files changed, 108 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/snyk-security.yml
 create mode 100644 .github/workflows/sonarcloud.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 6d4381e2..9f0addf7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,12 +3,7 @@ updates:
   - package-ecosystem: "npm"
     directory: "/GUI"
     schedule:
-      time: "08:00"
+      time: "00:00"
       interval: "daily"
-    allow:
-      - dependency-name: "@buerokratt-ria/header"
-      - dependency-name: "@buerokratt-ria/styles"
-      - dependency-name: "@buerokratt-ria/menu"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 50
     target-branch: "dev"
-    versioning-strategy: "increase"
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
new file mode 100644
index 00000000..22f53f5c
--- /dev/null
+++ b/.github/workflows/snyk-security.yml
@@ -0,0 +1,65 @@
+name: Snyk Security
+
+on:
+  push:
+    branches: ["dev"]
+  schedule:
+    - cron: '0 0 * * *'
+    
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Snyk CLI to check for security issues
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the SAST issues to GitHub Code Scanning
+        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+        # Application dependencies
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+
+        env:
+          # This is where you will need to introduce the Snyk API token created with your Snyk account
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+        # Authenticate Snyk
+        # Use || true to not fail the pipeline
+      - name: Snyk Auth
+        run:  snyk auth ${{ secrets.SNYK_TOKEN }}   
+
+        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
+        # Use || true to not fail the pipeline
+      - name: Snyk Code test
+        run: snyk code test --sarif > snyk-code.sarif || true
+
+        # Install Dependencies
+      - name: Install Dependencies
+        run:  cd GUI/ && npm install --legacy-peer-deps  
+
+        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
+      - name: Snyk Open Source monitor
+        run: snyk monitor --all-projects
+
+        # Build the docker image for testing
+      - name: Build a Docker image
+        run: cd GUI/ && docker build -f Dockerfile.dev -t gui .
+      
+      #   # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
+      - name: Snyk Container monitor
+        run: snyk container monitor gui
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-code.sarif
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
new file mode 100644
index 00000000..7c883da4
--- /dev/null
+++ b/.github/workflows/sonarcloud.yml
@@ -0,0 +1,41 @@
+name: SonarCloud analysis
+
+on:
+  push:
+    branches: [ "dev" ]
+  schedule:
+    - cron: '0 0 * * *'  
+  workflow_dispatch:
+
+permissions:
+  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
+
+jobs:
+  Analysis:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Analyze with SonarCloud
+        # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
+        with:
+          # Additional arguments for the sonarcloud scanner
+          args:
+            # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu)
+            # mandatory
+            -Dsonar.projectKey=${{ secrets.SONAR_PROJECT_KEY }}
+            -Dsonar.organization=${{ secrets.SONAR_ORGANIZATION }}
+            # Comma-separated paths to directories containing main source files.
+            #-Dsonar.sources= # optional, default is project base directory
+            # When you need the analysis to take place in a directory other than the one from which it was launched
+            #-Dsonar.projectBaseDir= # optional, default is .
+            # Comma-separated paths to directories containing test source files.
+            #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/
+            # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing.
+            #-Dsonar.verbose= # optional, default is false