Merge pull request #1667 from GSA/new-snyk

new snyk

Author: FuhuXia

.github/workflows/snyk.yml

@@ -1,22 +1,28 @@
 ---
-name: Check for Snyk Vulnerabilities
+name: Snyk Security
 
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 12 * * *'  # every day at 12pm UTC
+    # Run weekly on Sundays at 2:00 AM EST (7:00 AM UTC)
+    - cron: '0 7 * * 0'
+  push:
+    branches:
+      - main
 
 jobs:
-  snyk:
+  snyk-test:
     name: snyk test
     runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Set up Python 3.10
         uses: actions/setup-python@v5
         with:
-          python-version: '3.10'
+          python-version: 3.10.14
+          cache: 'pip'
       - name: Display Python version
         run: python -c "import sys; print(sys.version)"
       - name: Install Dependencies
@@ -28,26 +34,27 @@ jobs:
             libxmlsec1-dev libxmlsec1-openssl libgeos-dev proj-bin \
             libpq-dev
           pip3 install -r requirements.txt
+      # yamllint disable rule:line-length
       - name: Run Snyk Scan
         run: |
           # Run scan
           snyk auth ${{ secrets.SNYK_TOKEN }}
-          snyk test --severity-threshold=medium --file=ckan/requirements.txt --json-file-output=scan.json || echo "Scan complete"
+          snyk test --severity-threshold=medium --file=requirements.txt --json-file-output=/tmp/scan.json || echo "Scan complete"
 
           # Exit if no vulnerabilities
           # Succeed, so that PR is NOT created
-          [[ "$(jq '.ok' scan.json)" == "true" ]] && exit 0
+          [[ "$(jq '.ok' /tmp/scan.json)" == "true" ]] && exit 0
 
           # Update requirements.in with the snyk fix suggestions
-          python tools/snyk-update.py
+          python bin/snyk-update.py
 
           # Update requirements.txt
-          make update-dependencies
+          make requirements
 
           # Check if there are any changes
           if [ -z "$(git status --porcelain)" ]; then
             echo "Found vulnerable issues but no upgrade or patch available"
-            cat scan.json | jq '[.vulnerabilities[] | .id] | unique[]'
+            cat /tmp/scan.json | jq '[.vulnerabilities[] | .id] | unique[]'
           else
             echo "Changes made to add into PR: "
             git diff
@@ -77,3 +84,41 @@ jobs:
             automated pr
             snyk
           draft: false
+          # yamllint enable rule:line-length
+
+  snyk-monitor:
+    name: snyk monitor
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.10.14
+          cache: 'pip'
+
+      - name: Display Python version
+        run: python -c "import sys; print(sys.version)"
+
+      - name: Install Dependencies
+        run: |
+          npm install snyk -g
+          sudo apt-get update -y
+          sudo apt-get install -y \
+            openssl libssl-dev libffi-dev pkg-config libxml2-dev \
+            libxmlsec1-dev libxmlsec1-openssl libgeos-dev proj-bin \
+            libpq-dev
+          pip3 install -r requirements.txt
+
+      - name: Run Snyk Monitor
+        run: |
+          # Authenticate with Snyk
+          snyk auth ${{ secrets.SNYK_TOKEN }}
+
+          # Run snyk monitor to track dependencies
+          snyk monitor --file=requirements.txt

.python-version

@@ -0,0 +1 @@
+3.10

ckan/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.10
+FROM python:3.10-slim
 
 # Install Dependencies
 # - Download Saxon jar for FGDC2ISO transform (geodatagov)
@@ -10,6 +10,17 @@ RUN apt-get update -y && \
     openssl libssl-dev libffi-dev pkg-config libxml2-dev libxmlsec1-dev libxmlsec1-openssl \
     vim zip libgeos-dev proj-bin cron default-jre xmlsec1
 
+# Add more to slim image
+RUN apt-get install -y git libpq-dev gcc libmagic1 libmagic-dev
+
+# Update PAM packages to fix CVE-2025-6020 SNYK-DEBIAN12-PAM-10378969
+RUN apt-get install -y --only-upgrade libpam-modules libpam0g libpam-runtime
+
+# increase security by removing unnecessary packages
+RUN apt-get upgrade -y && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
 ARG saxon_ver=9.9.1-7
 ADD \
   https://repo1.maven.org/maven2/net/sf/saxon/Saxon-HE/${saxon_ver}/Saxon-HE-${saxon_ver}.jar \