chore: add quality gates using snyk actions (#283)

.github/workflows/pr-workflow.yml

@@ -12,6 +12,38 @@ env:
   DEFAULT_BRANCH: main
 
 jobs:
+  security-open-source-scan:
+      runs-on: ubuntu-latest
+      environment: snyk-msbuild-envs
+      steps:
+        - uses: actions/checkout@v4
+        - name: Setup .NET
+          uses: actions/setup-dotnet@v4
+        - name: Restore dependencies
+          run: dotnet restore /home/runner/work/snyk-visual-studio-plugin/snyk-visual-studio-plugin
+        - name: Run Snyk to check for vulnerabilities
+          uses: snyk/actions/dotnet@master
+          env:
+            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          with:
+            command: test
+            args: 
+              --all-projects
+              --exclude=Snyk.VisualStudio.Extension.Tests,Snyk.Common.Tests,Snyk.Code.Library.Tests,Tests
+              --severity-threshold=high
+  security-code-scan:
+      runs-on: ubuntu-latest
+      environment: snyk-msbuild-envs
+      steps:
+        - uses: actions/checkout@v4
+        - name: Run Snyk to check for vulnerabilities
+          uses: snyk/actions/dotnet@master
+          env:
+            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          with:
+            command: code test
+            args:
+              --severity-threshold=high
   build-project:
     uses: snyk/snyk-visual-studio-plugin/.github/workflows/build-project.yml@main
     with:

.github/workflows/security-scan-upload.yml

@@ -0,0 +1,42 @@
+name: Security Scan Upload
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  security-open-source-monitor:
+    runs-on: ubuntu-latest
+    environment: snyk-msbuild-envs
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+      - name: Restore dependencies
+        run: dotnet restore /home/runner/work/snyk-visual-studio-plugin/snyk-visual-studio-plugin
+      - name: Run snyk monitor
+        uses: snyk/actions/dotnet@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor
+          args: 
+            --all-projects
+            --exclude=Snyk.VisualStudio.Extension.Tests,Snyk.Common.Tests,Snyk.Code.Library.Tests,Tests
+  security-code-monitor:
+    runs-on: ubuntu-latest
+    environment: snyk-msbuild-envs
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run snyk monitor
+        uses: snyk/actions/dotnet@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: code test 
+          args:
+            --report
+            --project-name="snyk/${{ github.event.repository.name }}"

.snyk

@@ -1,6 +1,12 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
+exclude:
+    global:
+        #Exclude test directory for snyk code scan
+        - Snyk.Code.Library.Tests
+        - Snyk.Common.Tests
+        - Snyk.VisualStudio.Extension.Tests
 ignore:
   SNYK-DOTNET-NEWTONSOFTJSON-2774678:
     - '*':