Skip to content

chore: add Snyk security scanning and dependency review workflows#1059

Closed
c-warren wants to merge 1 commit into
cadence-workflow:masterfrom
c-warren:feature/add-snyk-security-scanning
Closed

chore: add Snyk security scanning and dependency review workflows#1059
c-warren wants to merge 1 commit into
cadence-workflow:masterfrom
c-warren:feature/add-snyk-security-scanning

Conversation

@c-warren

Copy link
Copy Markdown
Contributor

Summary

  • Adds Snyk vulnerability scanning on PRs (advisory, non-blocking) with results uploaded to the GitHub Security tab via SARIF
  • Runs snyk monitor on pushes to the default branch to register a dependency snapshot in Snyk for ongoing tracking
  • Adds dependency-review-action on PRs to surface newly introduced dependencies and any known vulnerabilities in them

Prerequisites

SNYK_TOKEN must be added to this repository's GitHub Actions secrets (Settings → Secrets and variables → Actions) before the Snyk jobs will succeed.

@gitar-bot

gitar-bot Bot commented May 14, 2026

Copy link
Copy Markdown
CI failed: The newly added Snyk security scanning workflow is failing due to an authentication error (401 Unauthorized) caused by a missing or invalid SNYK_TOKEN secret.

Overview

The Snyk security scanning workflow failed during the execution of the snyk test command. The build failed because the provided credentials for Snyk were rejected, preventing the scan from completing and generating the expected SARIF output.

Failures

Snyk Authentication Failure (confidence: high)

  • Type: authentication
  • Affected jobs: 76058132779
  • Related to change: yes
  • Root cause: The SNYK_TOKEN secret is either missing, misconfigured, or expired in the GitHub repository settings, resulting in a 401 Unauthorized status when the workflow attempts to authenticate with the Snyk service.
  • Suggested fix: Verify that the SNYK_TOKEN secret is correctly defined under the repository's 'Secrets and variables' settings. Ensure the workflow YAML file is correctly injecting the secret into the environment variable as required by the Snyk action.

Summary

  • Change-related failures: 1 (Snyk authentication failure).
  • Infrastructure/flaky failures: 0.
  • Recommended action: The developer should verify the repository secrets to ensure the SNYK_TOKEN is present and valid. Once updated, re-run the failed CI job to confirm authentication succeeds and the SARIF report is generated.
Code Review ⚠️ Changes requested 0 resolved / 2 findings

Integration of Snyk security scanning and dependency review workflows is blocked by the use of a mutable action reference and a misconfigured push trigger that prevents SARIF file generation.

⚠️ Security: Snyk action pinned to mutable @master ref

📄 .github/workflows/snyk-security.yml:19 📄 .github/workflows/snyk-security.yml:32

Using snyk/actions/gradle-jdk11@master pins the action to a branch that can change at any time. If the upstream repository is compromised or force-pushed, arbitrary code could run in this workflow with security-events: write and access to the SNYK_TOKEN secret. Best practice is to pin third-party actions to a full commit SHA (and optionally add a comment with the version tag for readability).

Pin Snyk actions to a specific commit SHA to prevent supply-chain attacks via a compromised upstream branch.
- name: Run Snyk to check for vulnerabilities
  if: github.event_name == 'pull_request'
  uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release>  # e.g. tag vX.Y.Z
  ...
- name: Monitor on default branch
  if: github.event_name == 'push'
  uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release>  # e.g. tag vX.Y.Z
⚠️ Bug: SARIF upload may fail if snyk.sarif is not created on push

📄 .github/workflows/snyk-security.yml:25-29

On a push event, the Snyk scan step (line 17-24) is skipped due to the if: github.event_name == 'pull_request' condition, so snyk.sarif is never written. The upload step (line 25-29) also has the same condition so it is correctly skipped. However, if the scan step fails early (before writing the file) on a PR, continue-on-error: true lets the workflow proceed to the upload step which will then fail because snyk.sarif doesn't exist. Consider adding if: success() || failure() with a file-existence check, or at minimum note that the upload step should also have continue-on-error: true.

Only attempt upload when the SARIF file actually exists, preventing failures when the Snyk step errors before producing output.
- name: Upload result to GitHub Code Scanning
  if: github.event_name == 'pull_request' && hashFiles('snyk.sarif') != ''
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: snyk.sarif
🤖 Prompt for agents
Code Review: Integration of Snyk security scanning and dependency review workflows is blocked by the use of a mutable action reference and a misconfigured push trigger that prevents SARIF file generation.

1. ⚠️ Security: Snyk action pinned to mutable `@master` ref
   Files: .github/workflows/snyk-security.yml:19, .github/workflows/snyk-security.yml:32

   Using `snyk/actions/gradle-jdk11@master` pins the action to a branch that can change at any time. If the upstream repository is compromised or force-pushed, arbitrary code could run in this workflow with `security-events: write` and access to the `SNYK_TOKEN` secret. Best practice is to pin third-party actions to a full commit SHA (and optionally add a comment with the version tag for readability).

   Fix (Pin Snyk actions to a specific commit SHA to prevent supply-chain attacks via a compromised upstream branch.):
   - name: Run Snyk to check for vulnerabilities
     if: github.event_name == 'pull_request'
     uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release>  # e.g. tag vX.Y.Z
     ...
   - name: Monitor on default branch
     if: github.event_name == 'push'
     uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release>  # e.g. tag vX.Y.Z

2. ⚠️ Bug: SARIF upload may fail if snyk.sarif is not created on push
   Files: .github/workflows/snyk-security.yml:25-29

   On a `push` event, the Snyk scan step (line 17-24) is skipped due to the `if: github.event_name == 'pull_request'` condition, so `snyk.sarif` is never written. The upload step (line 25-29) also has the same condition so it is correctly skipped. However, if the scan step fails early (before writing the file) on a PR, `continue-on-error: true` lets the workflow proceed to the upload step which will then fail because `snyk.sarif` doesn't exist. Consider adding `if: success() || failure()` with a file-existence check, or at minimum note that the upload step should also have `continue-on-error: true`.

   Fix (Only attempt upload when the SARIF file actually exists, preventing failures when the Snyk step errors before producing output.):
   - name: Upload result to GitHub Code Scanning
     if: github.event_name == 'pull_request' && hashFiles('snyk.sarif') != ''
     uses: github/codeql-action/upload-sarif@v3
     with:
       sarif_file: snyk.sarif

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact
gitar auto-apply:on         
gitar display:verbose         

Was this helpful? React with 👍 / 👎 | Gitar

- uses: actions/checkout@v4
- name: Run Snyk to check for vulnerabilities
if: github.event_name == 'pull_request'
uses: snyk/actions/gradle-jdk11@master

@gitar-bot gitar-bot Bot May 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Security: Snyk action pinned to mutable @master ref

Using snyk/actions/gradle-jdk11@master pins the action to a branch that can change at any time. If the upstream repository is compromised or force-pushed, arbitrary code could run in this workflow with security-events: write and access to the SNYK_TOKEN secret. Best practice is to pin third-party actions to a full commit SHA (and optionally add a comment with the version tag for readability).

Pin Snyk actions to a specific commit SHA to prevent supply-chain attacks via a compromised upstream branch.:

- name: Run Snyk to check for vulnerabilities
  if: github.event_name == 'pull_request'
  uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release>  # e.g. tag vX.Y.Z
  ...
- name: Monitor on default branch
  if: github.event_name == 'push'
  uses: snyk/actions/gradle-jdk11@<full-sha-of-latest-release>  # e.g. tag vX.Y.Z

Was this helpful? React with 👍 / 👎

Comment on lines +25 to +29
- name: Upload result to GitHub Code Scanning
if: github.event_name == 'pull_request'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif

@gitar-bot gitar-bot Bot May 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Bug: SARIF upload may fail if snyk.sarif is not created on push

On a push event, the Snyk scan step (line 17-24) is skipped due to the if: github.event_name == 'pull_request' condition, so snyk.sarif is never written. The upload step (line 25-29) also has the same condition so it is correctly skipped. However, if the scan step fails early (before writing the file) on a PR, continue-on-error: true lets the workflow proceed to the upload step which will then fail because snyk.sarif doesn't exist. Consider adding if: success() || failure() with a file-existence check, or at minimum note that the upload step should also have continue-on-error: true.

Only attempt upload when the SARIF file actually exists, preventing failures when the Snyk step errors before producing output.:

- name: Upload result to GitHub Code Scanning
  if: github.event_name == 'pull_request' && hashFiles('snyk.sarif') != ''
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: snyk.sarif

Was this helpful? React with 👍 / 👎

@c-warren

Copy link
Copy Markdown
Contributor Author

Closing in favour of Snyk's native GitHub integration

@c-warren c-warren closed this May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant