Merge pull request #24 from Algodons/copilot/fix-snyk-auth-and-codeql

SMSDAO · web-flow · commit 029f5ebbfaca · 2025-12-17T11:42:01.000-08:00
diff --git a/.github/CI_CD_DOCUMENTATION.md b/.github/CI_CD_DOCUMENTATION.md
@@ -86,7 +86,52 @@ The repository uses GitHub Actions to automate:
 - Findings appear in the Security tab under Code scanning alerts
 - Failed scans will block PR merging if critical issues are found
 
-### 3. Automated Code Review (`code-review.yml`)
+### 3. Snyk Security Scan (`snyk.yml`)
+
+**Triggers:**
+- Pull requests to `main` and `develop`
+- Pushes to `main` and `develop`
+- Scheduled daily scans (2:00 AM UTC)
+- Manual workflow dispatch
+
+**Purpose:**
+- Scans for vulnerabilities in dependencies (npm packages)
+- Checks Docker container images for security issues
+- Performs static code analysis for security vulnerabilities
+- Monitors production dependencies
+
+**Jobs:**
+
+#### Snyk Dependency Scan
+- Scans npm dependencies for known vulnerabilities
+- Uploads results to GitHub Security tab
+- Fails on high severity issues
+
+#### Snyk Container Scan
+- Builds Docker image
+- Scans container for vulnerabilities
+- Only runs on push events and scheduled scans
+
+#### Snyk Code Analysis
+- Performs static code analysis
+- Identifies security issues in source code
+- Checks for common vulnerabilities (XSS, injection, etc.)
+
+#### Snyk Monitor (Production)
+- Monitors production dependencies
+- Only runs on pushes to main branch
+- Tracks vulnerabilities over time in Snyk dashboard
+
+**Configuration Required:**
+- **SNYK_TOKEN** secret must be configured (see Repository Secrets section)
+- Get your token from: https://app.snyk.io/account
+
+**Results:**
+- Findings appear in the Security tab under Code scanning alerts
+- SARIF files uploaded for integration with GitHub Security
+- Failed scans will block PR merging if critical issues are found
+
+### 4. Automated Code Review (`code-review.yml`)
 
 **Triggers:**
 - Pull requests opened, synchronized, or reopened
@@ -109,7 +154,7 @@ The repository uses GitHub Actions to automate:
 - Comments on PRs if bundle size increases significantly
 - Helps prevent performance regressions
 
-### 4. Auto-Approve Workflow (`auto-approve.yml`)
+### 5. Auto-Approve Workflow (`auto-approve.yml`)
 
 **Triggers:**
 - Pull requests opened, synchronized, or reopened
@@ -138,7 +183,7 @@ TRUSTED_USERS=(
 )
 ```
 
-### 5. PR Notifications (`pr-notifications.yml`)
+### 6. PR Notifications (`pr-notifications.yml`)
 
 **Triggers:**
 - PR opened, reopened, or marked ready for review
@@ -213,10 +258,11 @@ Follow the instructions in [BRANCH_PROTECTION.md](.github/BRANCH_PROTECTION.md)
 - Conversation resolution
 - Other protection settings
 
-### 3. Repository Secrets (Optional)
+### 3. Repository Secrets (Required & Optional)
 
 Configure in Settings → Secrets and variables → Actions:
-- `CODECOV_TOKEN` - For code coverage reporting
+- `SNYK_TOKEN` - **Required** for Snyk security scanning. Get your token from [Snyk Account Settings](https://app.snyk.io/account)
+- `CODECOV_TOKEN` - Optional for code coverage reporting
 
 ### 4. Create Required Labels
 
diff --git a/.github/SNYK_SETUP.md b/.github/SNYK_SETUP.md
@@ -0,0 +1,114 @@
+# Snyk Security Scanning Setup Guide
+
+## Overview
+This repository uses Snyk for comprehensive security scanning of dependencies, container images, and source code. The Snyk workflow has been configured but requires a secret token to function properly.
+
+## Required Configuration
+
+### Step 1: Obtain Your Snyk API Token
+1. Go to [Snyk Account Settings](https://app.snyk.io/account)
+2. Log in to your Snyk account (create one if you don't have it)
+3. Navigate to **Settings** → **General** → **API Token**
+4. Click **Show** to reveal your API token
+5. Copy the token (it should start with a UUID format)
+
+### Step 2: Add SNYK_TOKEN to GitHub Repository Secrets
+1. Go to your GitHub repository: https://github.com/Algodons/algo
+2. Navigate to **Settings** → **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Set the following:
+   - **Name**: `SNYK_TOKEN`
+   - **Secret**: Paste your Snyk API token from Step 1
+5. Click **Add secret**
+
+### Step 3: Verify the Configuration
+After adding the secret, the Snyk workflow will be able to authenticate properly. You can verify by:
+
+1. Pushing a commit to `main` or `develop` branch, or
+2. Manually triggering the workflow from the Actions tab
+3. Checking that the workflow runs successfully without authentication errors
+
+## What This Enables
+
+With the SNYK_TOKEN configured, the repository will have:
+
+### 1. **Dependency Scanning**
+- Automatically scans `package.json` and `package-lock.json` for vulnerable dependencies
+- Runs on every push and pull request
+- Results uploaded to GitHub Security tab
+
+### 2. **Container Scanning**
+- Scans Docker images for vulnerabilities
+- Checks base images and installed packages
+- Runs on pushes to main/develop branches
+
+### 3. **Code Analysis**
+- Static analysis of source code for security issues
+- Identifies common vulnerabilities (XSS, SQL injection, etc.)
+- Provides remediation advice
+
+### 4. **Production Monitoring**
+- Monitors production dependencies on main branch
+- Tracks vulnerabilities over time in Snyk dashboard
+- Sends alerts for newly discovered issues
+
+## Workflow Schedule
+
+The Snyk security scan runs:
+- On every push to `main` and `develop` branches
+- On every pull request to `main` and `develop` branches
+- Daily at 2:00 AM UTC (scheduled scan)
+- On manual workflow dispatch
+
+## Viewing Results
+
+### In GitHub
+1. Go to the **Security** tab in your repository
+2. Click **Code scanning alerts**
+3. Filter by tool: "Snyk"
+
+### In Snyk Dashboard
+1. Log in to [Snyk Dashboard](https://app.snyk.io)
+2. Select your organization
+3. View "algo-cloud-ide" project
+4. See detailed vulnerability reports and remediation advice
+
+## Troubleshooting
+
+### Authentication Errors (SNYK-0005)
+**Error**: `Authentication credentials not recognized, or user access is not provisioned`
+
+**Solutions**:
+- Verify SNYK_TOKEN secret is correctly set in GitHub
+- Ensure the token is valid and not expired
+- Regenerate a new token from Snyk if needed
+- Check that the token has proper permissions in Snyk
+
+### Missing SARIF File
+**Error**: `Path does not exist: snyk.sarif`
+
+**Solutions**:
+- This usually occurs when authentication fails
+- Fix the SNYK_TOKEN first
+- The SARIF file is now automatically generated with `--sarif-file-output=snyk.sarif`
+
+### Incompatible CLI Flags
+**Error**: `Invalid flag option (SNYK-CLI-0004)`
+
+**Solutions**:
+- This has been fixed in the workflow
+- The monitor job now only uses `--all-projects` flag
+- No action needed
+
+## Support
+
+For questions or issues:
+1. Check the [Snyk Documentation](https://docs.snyk.io/)
+2. Review workflow logs in GitHub Actions tab
+3. Contact the DevOps team
+4. Open an issue in the repository
+
+## Security Note
+
+⚠️ **Never commit the SNYK_TOKEN to version control!**  
+Always use GitHub Secrets for storing sensitive tokens and credentials.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -32,7 +32,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
@@ -52,7 +52,7 @@ jobs:
           npm run build:server
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"
 
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -94,7 +94,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload Semgrep results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: semgrep.sarif
@@ -118,7 +118,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload OSV results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: osv-results.sarif
@@ -143,7 +143,7 @@ jobs:
         continue-on-error: true
 
       - name: Upload Hadolint results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: hadolint.sarif
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -43,10 +43,10 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --severity-threshold=high --all-projects
+          args: --severity-threshold=high --all-projects --sarif-file-output=snyk.sarif
 
       - name: Upload Snyk results to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: snyk.sarif
@@ -70,10 +70,10 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           image: algo-cloud-ide:${{ github.sha }}
-          args: --severity-threshold=high
+          args: --severity-threshold=high --sarif-file-output=snyk.sarif
 
       - name: Upload Snyk container results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: snyk.sarif
@@ -93,10 +93,10 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           command: code test
-          args: --severity-threshold=high
+          args: --severity-threshold=high --sarif-file-output=snyk.sarif
 
       - name: Upload Snyk Code results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: snyk.sarif
@@ -125,7 +125,7 @@ jobs:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           command: monitor
-          args: --all-projects --project-name="algo-cloud-ide"
+          args: --all-projects
 
   dependency-review:
     name: Dependency Review
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -39,7 +39,7 @@ jobs:
           ignore-unfixed: true
 
       - name: Upload Trivy repo scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-repo-results.sarif'
@@ -72,7 +72,7 @@ jobs:
           exit-code: '0'
 
       - name: Upload Trivy config scan results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-config-results.sarif'
@@ -100,7 +100,7 @@ jobs:
           vuln-type: 'os,library'
 
       - name: Upload Trivy Docker scan results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-docker-results.sarif'
@@ -133,7 +133,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM'
 
       - name: Upload Trivy Kubernetes scan results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
           sarif_file: 'trivy-k8s-results.sarif'
