.github/workflows/security.yaml

---
name: Security Scans
on:
  workflow_dispatch: {}
  schedule:
    - cron: "16 04 * * *"

jobs:
  snyk:
    name: Snyk Scan
    runs-on: ubuntu-latest
    env:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
    permissions:
      packages: read
      contents: read
    steps:
      - uses: actions/checkout@master
      - uses: actions/setup-python@v3
      - uses: snyk/actions/setup@master
      - run: pip install -r requirements.txt
        working-directory: tests/docs
      - run: |
          snyk test --all-projects --severity-threshold=medium
          snyk code test --all-projects --severity-threshold=medium

  teams-notification:
    if: ${{ failure() }}
    name: Send an alram to Microsoft teams
    needs: [snyk]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: aliencube/microsoft-teams-actions@v0.8.0
        with:
          webhook_uri: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
          title: |
            [SEC] Security scan failed for ${{ github.repository }}
          text: |
            *Scan status*

            - Snyk: ${{needs.snyk.result }}

            *Workflow run link:* ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          actions: |
            [{
              "@type": "OpenUri",
              "name": "Workflow run",
              "targets": [{
                "os": "default",
                "uri": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
              }]
            }]