Add snyk to CI

Use proper snyk flow https://snyk.io/docs/using-snyk/
This commit is contained in:
curben 2018-09-25 09:46:25 +09:30
parent 7c9301705b
commit 1b594c706e
3 changed files with 34 additions and 17 deletions

View File

@ -1,19 +1,37 @@
# Use latest version of Node.js
image: node:latest
stages:
- build
- test
- deploy
pages:
cache: # add cache to 'node_modules' for speeding up builds
cache: # add cache to 'node_modules' for speeding up builds
paths:
- node_modules/ # Node modules and dependencies
only:
- master # CI will affect only the 'master' branch
build-job:
stage: build
script:
- npm install hexo-cli -g
- npm install -g hexo-cli snyk
- npm install
- snyk auth $SNYK_TOKEN
snyk-test:
stage: test
script:
- snyk test # Test node modules for vulnerability
pages:
stage: deploy
script:
- snyk protect # Apply patches to node modules
- hexo deploy # deploy the site
- find public -type f -iregex '.*\.\(htm\|html\|txt\|text\|js\|css\)$' -execdir gzip -f --keep {} \; # Compress files
artifacts:
paths:
- public # deploy to the 'public' folder
only:
- master # this job will affect only the 'master' branch
when: on_success

7
.snyk
View File

@ -1,6 +1,11 @@
# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.12.0
ignore: {}
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
'npm:braces:20180219':
- '*':
reason: Patch/update unavailable
expires: 2018-12-31T00:00:00.000Z
# patches apply the minimum changes required to fix a vulnerability
patch:
'npm:lodash:20180130':

View File

@ -16,12 +16,6 @@
"hexo-renderer-ejs": "latest",
"hexo-renderer-stylus": "latest",
"hexo-renderer-marked": "latest",
"hexo-server": "latest",
"snyk": "^1.97.1"
},
"scripts": {
"snyk-protect": "snyk protect",
"prepare": "npm run snyk-protect"
},
"snyk": true
"hexo-server": "latest"
}
}