varner-tech · philvarner-snyk · Dec 12, 2025 · Jan 6, 2026 · Jan 6, 2026 · Jan 6, 2026
diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml
@@ -14,7 +14,7 @@ jobs:
   #   env:
   #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
   #     SNYK_CFG_ORG: varner-tech-engineering
-
+    
   #   steps:
   #     - name: Checkout code
   #       uses: actions/checkout@v3
@@ -55,24 +55,15 @@ jobs:
     permissions:
       contents: write
       actions: read
-    env:
-      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Setup Snyk CLI
-        uses: snyk/actions/setup@master
-
-      - name: Authenticate Snyk CLI
-        run: snyk auth "${{ secrets.SNYK_TOKEN }}"
-
       - name: Generate SBOM (CycloneDX JSON)
-        run: |
-          echo "Generating SBOM with Snyk..."
-          snyk sbom --format=cyclonedx1.6+json > sbom.cdx.json
-          echo "SBOM generation completed successfully"
-          ls -la sbom.cdx.json
+        uses: anchore/sbom-action@v0
+        with:
+          format: cyclonedx-json
+          output-file: sbom.cdx.json
 
       - name: Upload SBOM artifact
         uses: actions/upload-artifact@v4
@@ -86,8 +77,8 @@ jobs:
         with:
           files: sbom.cdx.json
 
-      - name: Display SBOM info
-        run: |
-          echo "SBOM generated successfully"
-          ls -la sbom.cdx.json
-          echo "SBOM size: $(wc -c < sbom.cdx.json) bytes"
+      - name: Submit SBOM to Dependency Graph
+        uses: advanced-security/sbom-dependency-submission-action@v0
+        with:
+          sbom-path: sbom.cdx.json
+          fail-on-error: true
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -38,6 +38,7 @@
     "lodash": "4.17.4",
     "marked": "0.3.5",
     "method-override": "latest",
+    "minimist": "0.0.8",
     "moment": "2.15.1",
     "mongodb": "^3.5.9",
     "mongoose": "4.2.4",
@@ -46,6 +47,7 @@
     "mysql": "^2.18.1",
     "npmconf": "0.0.24",
     "optional": "^0.1.3",
+    "serialize-javascript": "2.1.1",
     "st": "0.2.4",
     "stream-buffers": "^3.0.1",
     "tap": "^11.1.3",

diff --git a/routes/xss-vulnerable.js b/routes/xss-vulnerable.js
@@ -17,15 +17,15 @@ const { startVulnerableResponse } = require('../service/xssResponder');
 
 // UNSAFE: Direct XSS vulnerability - matches pattern Snyk detects
 // This is a simple reflected XSS that Snyk should flag
-// router.get('/', (req, res) => {
-//     // Get user input directly from query parameter without sanitization
-//     // This is the source of the XSS vulnerability
-//     const userInput = req.query.input || 'No input provided';
+router.get('/', (req, res) => {
+    // Get user input directly from query parameter without sanitization
+    // This is the source of the XSS vulnerability
+    const userInput = req.query.input || 'No input provided';
 
-//     const html = processUserInput(userInput, res);
+    const html = processUserInput(userInput, res);
 
-//     res.send(html);
-// });
+    res.send(html);
 const userInput = req.query.input || 'No input provided'; 
 res.send(html); 
 const userInput = req.query.input || 'No input provided'; 
 res.send(html); 
+});
 
 function processUserInput(userInput, res) {
     return `