From f28e9d3e9fbfb3c42968a6226e1e1b3cefa159ed Mon Sep 17 00:00:00 2001
From: Corey Daley <cdaley@redhat.com>
Date: Tue, 21 Jan 2025 16:13:44 -0500
Subject: [PATCH] Adding SNYK IaC Scanning

---
 .github/workflows/snyk.yaml | 38 +++++++++++++++++++++++++++++++++++++
 .gitignore                  |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 .github/workflows/snyk.yaml

diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
new file mode 100644
index 00000000..306202b1
--- /dev/null
+++ b/.github/workflows/snyk.yaml
@@ -0,0 +1,38 @@
+name: SNYK
+
+on:
+  schedule:
+    - cron: "0 0 * * 0"
+
+jobs:
+  scan-iac:
+    name: Scan Rendered Templates
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4.2.0
+        with:
+          version: v3.17.0
+
+      - name: Render Templates
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add backstage https://backstage.github.io/charts
+          helm repo update    
+          helm dependency build ./charts/backstage
+          helm template ./charts/backstage/ --output-dir ./output
+
+      - name: Run SNYK IaC Scan
+        continue-on-error: true
+        uses: snyk/actions/iac@0.4.0
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}
+        with:
+          args: --report --org=$SNYK_ORG_ID --target-name="redhat-developer/rhdh-chart"
+          file: ./output/
diff --git a/.gitignore b/.gitignore
index c57c5470..8d0f9547 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@
 # helm chart dependencies
 charts/*/charts/
 **/charts/*.tgz
+output