chore: integrate snyk security scanning via GitHub Actions#126
chore: integrate snyk security scanning via GitHub Actions#126Aaravanand00 wants to merge 1 commit intohyperledger-identus:mainfrom
Conversation
Aaravanand00
commented
Apr 22, 2026
Aaravanand00
commented
- Added snyk.yml workflow for security scanning with restricted read-only permissions
- Running in warn-only mode initially to prevent breaking CI; can be enforced in future
- Configured to run on push to main and all pull requests
- Note: Scan will fail if SNYK_TOKEN is missing in repository secrets
Aaravanand00
force-pushed
the
chore/integrate-snyk-security
branch
from
5440dfb to
9ea02e5
Compare
There was a problem hiding this comment.
Pull request overview
Integrates Snyk security scanning into CI via a new GitHub Actions workflow, and documents the requirement for a repository SNYK_TOKEN.
Changes:
- Added
.github/workflows/snyk.ymlto runsnyk teston PRs and pushes, andsnyk monitoron pushes tomain. - Documented Snyk CI scanning and required secret in the README.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| README.md | Adds documentation for Snyk scanning and the required SNYK_TOKEN secret. |
| .github/workflows/snyk.yml | New workflow that sets up Node, installs dependencies, and runs Snyk scan/monitor in CI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Run Snyk test | ||
| # Run in warn-only mode initially to avoid breaking CI; can be enforced in future | ||
| run: snyk test --severity-threshold=high | ||
| continue-on-error: true | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
|
|
There was a problem hiding this comment.
SNYK_TOKEN is injected for all pull_request runs. For PRs originating from forks, repository secrets are unavailable so this step will consistently error (even if the job stays green due to continue-on-error), creating noisy logs and effectively skipping scanning. Gate Snyk steps on the presence of the secret (e.g., if: secrets.SNYK_TOKEN != '') and/or skip PR runs from forks so the workflow behaves predictably.
| - name: Snyk monitor | ||
| run: snyk monitor | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' |
There was a problem hiding this comment.
The PR description says the workflow runs in "warn-only mode" initially, but snyk monitor can still fail the job (e.g., due to missing token or transient Snyk API issues) on pushes to main. If the intent is truly warn-only for now, consider also making the monitor step non-blocking (continue-on-error) and/or explicitly skipping it when SNYK_TOKEN is not set.
| - CI runs a Snyk scan on every push and pull request to help identify known vulnerabilities. | ||
| - Requires a `SNYK_TOKEN` to be configured in the repository secrets for the scan to authenticate. |
There was a problem hiding this comment.
README notes that CI runs Snyk on every push/PR and that a SNYK_TOKEN is required, but on forked pull requests secrets are not provided by GitHub Actions. Consider clarifying that scans may be skipped/limited for fork PRs unless an alternative auth approach is used, so contributors understand why a scan might not run.
| - CI runs a Snyk scan on every push and pull request to help identify known vulnerabilities. | |
| - Requires a `SNYK_TOKEN` to be configured in the repository secrets for the scan to authenticate. | |
| - CI runs a Snyk scan on pushes and pull requests to help identify known vulnerabilities. | |
| - Authenticated Snyk scans require a `SNYK_TOKEN` to be configured in the repository secrets. | |
| - On pull requests from forks, GitHub Actions does not provide repository secrets by default, so Snyk scans may be skipped or run in a limited way unless an alternative authentication approach is configured. |
| run: npm ci | ||
|
|
||
| - name: Setup Snyk | ||
| uses: snyk/actions/setup@v3 |
There was a problem hiding this comment.
This workflow uses snyk/actions/setup@v3 as a floating tag. Elsewhere in the repo, third-party actions are pinned to a commit SHA (e.g., ossf/scorecard-action@4eaacf… in .github/workflows/scorecard.yml:49). Please pin the Snyk action to a specific commit SHA as well to reduce supply-chain risk.
| uses: snyk/actions/setup@v3 | |
| uses: snyk/actions/setup@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V3> # v3 |
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| if: hashFiles('package.json') != '' | ||
| uses: actions/setup-node@v4 |
There was a problem hiding this comment.
This repository pins GitHub Actions to full commit SHAs (e.g., actions/checkout@de0fac… in .github/workflows/ci.yml:27) for supply-chain security, but this workflow uses floating tags (actions/checkout@v4, actions/setup-node@v4). Please pin these to specific commit SHAs to match the established convention and reduce the risk of a compromised upstream tag.
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| if: hashFiles('package.json') != '' | |
| uses: actions/setup-node@v4 | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 | |
| - name: Setup Node.js | |
| if: hashFiles('package.json') != '' | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
There was a problem hiding this comment.
All other workflows add a "Harden the runner" step via step-security/harden-runner (e.g., .github/workflows/codeql.yml:42-46), but this workflow does not. Consider adding the same hardening step (and egress policy) here to keep runner security consistent across CI workflows.
| - name: Harden the runner | |
| uses: step-security/harden-runner@v2 | |
| with: | |
| egress-policy: audit |
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| snyk: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Workflow-level permissions are set explicitly here, but the repo convention is permissions: {} at the workflow level and then narrow permissions per-job (see .github/workflows/ci.yml:11-19). To keep permissions reviewable and consistent, set workflow permissions to {} and move contents: read under jobs.snyk.permissions.
| permissions: | |
| contents: read | |
| jobs: | |
| snyk: | |
| runs-on: ubuntu-latest | |
| permissions: {} | |
| jobs: | |
| snyk: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read |
- Added snyk.yml workflow for security scanning with restricted read-only permissions - Running in warn-only mode initially to prevent breaking CI; can be enforced in future - Configured to run on push to main and all pull requests - Gated Snyk steps to skip on fork PRs where SNYK_TOKEN is unavailable - Pinned actions to full commit SHAs for enhanced security - Added runner hardening and narrowed job-level permissions Signed-off-by: Aaravanand00 <aaravanand5749@gmail.com>
Aaravanand00
force-pushed
the
chore/integrate-snyk-security
branch
from
9ea02e5 to
aadd71b
Compare
|
