From a2f51d504f6cc4b8f9c700e0064b80a84abf75cf Mon Sep 17 00:00:00 2001 From: Chris Warren <16132615+c-warren@users.noreply.github.com> Date: Thu, 14 May 2026 11:26:10 -0700 Subject: [PATCH] chore: add Snyk security scanning and dependency review workflows --- .github/workflows/snyk-security.yml | 50 +++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 00000000..c749de14 --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,50 @@ +name: Security Scan + +on: + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + snyk: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - uses: actions/checkout@v4 + - name: Run Snyk to check for vulnerabilities + if: github.event_name == 'pull_request' + uses: snyk/actions/gradle-jdk8@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + if: github.event_name == 'pull_request' + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif + - name: Monitor on default branch + if: github.event_name == 'push' + uses: snyk/actions/gradle-jdk8@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor + + dependency-review: + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + permissions: + contents: read + pull-requests: write + steps: + - uses: actions/checkout@v4 + - uses: actions/dependency-review-action@v4 + continue-on-error: true + with: + fail-on-severity: high + comment-summary-in-pr: always