name: Snyk

on: 
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:
  analysis:
    name: Analysis of Quarkus and Operator
    runs-on: ubuntu-latest
    if: github.repository == 'keycloak/keycloak'
    steps:
      - uses: actions/checkout@v4

      - name: Build Keycloak
        uses: ./.github/actions/build-keycloak

      - uses: snyk/actions/setup@master

      - name: Check for vulnerabilities in Quarkus
        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus/deployment
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload Quarkus scanner results to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: quarkus-report.sarif
          category: snyk-quarkus-report

      - name: Check for vulnerabilities in Operator
        run: |
          ./mvnw -Poperator -pl operator -am -DskipTests clean install --batch-mode
          snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Upload Operator scanner results to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: operator-report.sarif
          category: snyk-operator-report