chore: add Snyk security scanning and dependency review workflows#1059
chore: add Snyk security scanning and dependency review workflows#1059c-warren wants to merge 1 commit into
Conversation
CI failed: The newly added Snyk security scanning workflow is failing due to an authentication error (401 Unauthorized) caused by a missing or invalid SNYK_TOKEN secret.OverviewThe Snyk security scanning workflow failed during the execution of the FailuresSnyk Authentication Failure (confidence: high)
Summary
Code Review
|
| Auto-apply | Compact |
|
|
Was this helpful? React with 👍 / 👎 | Gitar
| - uses: actions/checkout@v4 | ||
| - name: Run Snyk to check for vulnerabilities | ||
| if: github.event_name == 'pull_request' | ||
| uses: snyk/actions/gradle-jdk11@master |
There was a problem hiding this comment.
⚠️ Security: Snyk action pinned to mutable @master ref
Using snyk/actions/gradle-jdk11@master pins the action to a branch that can change at any time. If the upstream repository is compromised or force-pushed, arbitrary code could run in this workflow with security-events: write and access to the SNYK_TOKEN secret. Best practice is to pin third-party actions to a full commit SHA (and optionally add a comment with the version tag for readability).
Pin Snyk actions to a specific commit SHA to prevent supply-chain attacks via a compromised upstream branch.:
- name: Run Snyk to check for vulnerabilities
if: github.event_name == 'pull_request'
uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release> # e.g. tag vX.Y.Z
...
- name: Monitor on default branch
if: github.event_name == 'push'
uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release> # e.g. tag vX.Y.Z
Was this helpful? React with 👍 / 👎
| - name: Upload result to GitHub Code Scanning | ||
| if: github.event_name == 'pull_request' | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: snyk.sarif |
There was a problem hiding this comment.
⚠️ Bug: SARIF upload may fail if snyk.sarif is not created on push
On a push event, the Snyk scan step (line 17-24) is skipped due to the if: github.event_name == 'pull_request' condition, so snyk.sarif is never written. The upload step (line 25-29) also has the same condition so it is correctly skipped. However, if the scan step fails early (before writing the file) on a PR, continue-on-error: true lets the workflow proceed to the upload step which will then fail because snyk.sarif doesn't exist. Consider adding if: success() || failure() with a file-existence check, or at minimum note that the upload step should also have continue-on-error: true.
Only attempt upload when the SARIF file actually exists, preventing failures when the Snyk step errors before producing output.:
- name: Upload result to GitHub Code Scanning
if: github.event_name == 'pull_request' && hashFiles('snyk.sarif') != ''
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
Was this helpful? React with 👍 / 👎
|
Closing in favour of Snyk's native GitHub integration |
Summary
snyk monitoron pushes to the default branch to register a dependency snapshot in Snyk for ongoing trackingdependency-review-actionon PRs to surface newly introduced dependencies and any known vulnerabilities in themPrerequisites
SNYK_TOKENmust be added to this repository's GitHub Actions secrets (Settings → Secrets and variables → Actions) before the Snyk jobs will succeed.