Snyk Security Scan #171

Workflow file for this run

	name: Snyk Security Scan

	on:
	push:
	branches:
	- main
	- develop
	pull_request:
	branches:
	- main
	- develop
	schedule:
	# Run daily at 2 AM UTC
	- cron: '0 2 * * *'
	workflow_dispatch:

	permissions:
	contents: read
	security-events: write
	actions: read

	jobs:
	snyk-scan:
	name: Snyk Dependency Scan
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '18'
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Run Snyk to check for vulnerabilities
	uses: snyk/actions/node@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	args: --severity-threshold=high --all-projects --sarif-file-output=snyk.sarif

	- name: Upload Snyk results to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v4
	if: always()
	with:
	sarif_file: snyk.sarif

	snyk-container:
	name: Snyk Container Scan
	runs-on: ubuntu-latest
	if: github.event_name == 'push' \|\| github.event_name == 'schedule'

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Build Docker image
	run: docker build -t algo-cloud-ide:${{ github.sha }} .

	- name: Run Snyk to check Docker image for vulnerabilities
	uses: snyk/actions/docker@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: algo-cloud-ide:${{ github.sha }}
	args: --severity-threshold=high --sarif-file-output=snyk.sarif

	- name: Upload Snyk container results
	uses: github/codeql-action/upload-sarif@v4
	if: always()
	with:
	sarif_file: snyk.sarif

	snyk-code:
	name: Snyk Code Analysis
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Run Snyk Code test
	uses: snyk/actions/node@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	command: code test
	args: --severity-threshold=high --sarif-file-output=snyk.sarif

	- name: Upload Snyk Code results
	uses: github/codeql-action/upload-sarif@v4
	if: always()
	with:
	sarif_file: snyk.sarif

	snyk-monitor:
	name: Snyk Monitor (Production)
	runs-on: ubuntu-latest
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: '18'
	cache: 'npm'

	- name: Install dependencies
	run: npm ci

	- name: Monitor with Snyk
	uses: snyk/actions/node@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	command: monitor
	args: --all-projects

	dependency-review:
	name: Dependency Review
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	permissions:
	contents: read
	pull-requests: write

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Dependency Review
	uses: actions/dependency-review-action@v4
	with:
	fail-on-severity: moderate
	deny-licenses: GPL-2.0, GPL-3.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Snyk Security Scan #171

Workflow file

Snyk Security Scan #171

Uh oh!

Workflow file for this run