From bf59e9ae1994b05f0598fb3d43fe1314c2d75cb4 Mon Sep 17 00:00:00 2001 From: Oscar Llamas Date: Mon, 17 Nov 2025 20:53:13 -0600 Subject: [PATCH 1/5] chore: add Snyk dependency scan workflow --- .github/workflows/snyk-security.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 00000000..929ab9eb --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,23 @@ +name: Snyk Security Scan + +on: + workflow_call: + push: + +jobs: + snyk-deps-scan: + name: Snyk Dependencies Scan + permissions: + contents: read + actions: read + security-events: write + uses: datum-cloud/actions/.github/workflows/snyk-scan.yaml@59769c197eef6e792c22365a03b1b674033b4657 + with: + command: "test" + fail-on-issues: false + severity-threshold: "high" + args: "--report" + upload-sarif: false + debug: false + snyk-org: ${{ vars.SNYK_ORG }} + secrets: inherit From 6a6be30277af52e6d4deac86ff025741371066f4 Mon Sep 17 00:00:00 2001 From: Oscar Llamas Date: Mon, 17 Nov 2025 20:58:30 -0600 Subject: [PATCH 2/5] test: enabling debug for Snyk workflow --- .github/workflows/snyk-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 929ab9eb..1ddfc6c3 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -18,6 +18,6 @@ jobs: severity-threshold: "high" args: "--report" upload-sarif: false - debug: false + debug: true snyk-org: ${{ vars.SNYK_ORG }} secrets: inherit From 98f6f08f9208f55534b010df4432ca6dccb80b14 Mon Sep 17 00:00:00 2001 From: Oscar Llamas Date: Mon, 17 Nov 2025 21:10:15 -0600 Subject: [PATCH 3/5] chore: relax Snyk lockfile sync check temporarily --- .github/workflows/snyk-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 1ddfc6c3..5e63072c 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -16,7 +16,7 @@ jobs: command: "test" fail-on-issues: false severity-threshold: "high" - args: "--report" + args: "--report --strict-out-of-sync=false" upload-sarif: false debug: true snyk-org: ${{ vars.SNYK_ORG }} From a9356121150ce3c4992752d4daeb73f9f238278f Mon Sep 17 00:00:00 2001 From: Oscar Llamas Date: Mon, 17 Nov 2025 21:18:17 -0600 Subject: [PATCH 4/5] chore: setting low as severity threshold --- .github/workflows/snyk-security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 5e63072c..0d222ab7 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -15,9 +15,9 @@ jobs: with: command: "test" fail-on-issues: false - severity-threshold: "high" + severity-threshold: "low" args: "--report --strict-out-of-sync=false" upload-sarif: false - debug: true + debug: false snyk-org: ${{ vars.SNYK_ORG }} secrets: inherit From a916414d9e2b214f839f1cc77b57e7fafee45d79 Mon Sep 17 00:00:00 2001 From: Oscar Llamas Date: Mon, 17 Nov 2025 21:38:46 -0600 Subject: [PATCH 5/5] add(snyk): code scan SAST job --- .github/workflows/snyk-security.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 0d222ab7..6296a815 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -21,3 +21,20 @@ jobs: debug: false snyk-org: ${{ vars.SNYK_ORG }} secrets: inherit + + snyk-code-scan: + name: Snyk Code Scan (SAST) + permissions: + contents: read + actions: read + security-events: write + uses: datum-cloud/actions/.github/workflows/snyk-scan.yaml@59769c197eef6e792c22365a03b1b674033b4657 + with: + command: "code test" + fail-on-issues: false + severity-threshold: "low" + args: "--report" + upload-sarif: false + debug: false + snyk-org: ${{ vars.SNYK_ORG }} + secrets: inherit