From aadd71b14d005e004d24111b45b12bf5cbdf1291 Mon Sep 17 00:00:00 2001
From: Aaravanand00 <aaravanand5749@gmail.com>
Date: Wed, 22 Apr 2026 14:59:02 +0530
Subject: [PATCH] chore: integrate snyk security scanning via GitHub Actions

- Added snyk.yml workflow for security scanning with restricted read-only permissions
- Running in warn-only mode initially to prevent breaking CI; can be enforced in future
- Configured to run on push to main and all pull requests
- Gated Snyk steps to skip on fork PRs where SNYK_TOKEN is unavailable
- Pinned actions to full commit SHAs for enhanced security
- Added runner hardening and narrowed job-level permissions

Signed-off-by: Aaravanand00 <aaravanand5749@gmail.com>
---
 .github/workflows/snyk.yml | 49 ++++++++++++++++++++++++++++++++++++++
 README.md                  |  6 +++++
 2 files changed, 55 insertions(+)
 create mode 100644 .github/workflows/snyk.yml

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
new file mode 100644
index 0000000..b4e5987
--- /dev/null
+++ b/.github/workflows/snyk.yml
@@ -0,0 +1,49 @@
+name: Snyk Security Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+
+permissions: {}
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Node.js
+        if: hashFiles('package.json') != ''
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version: 20
+          cache: 'npm'
+
+      - name: Install dependencies
+        if: hashFiles('package.json') != ''
+        run: npm ci
+
+      - name: Setup Snyk
+        if: env.SNYK_TOKEN != ''
+        uses: snyk/actions/setup@b98263eb70355f69f2e718b56d354966d5b08c9f # v3
+
+      - name: Run Snyk test
+        if: env.SNYK_TOKEN != ''
+        run: snyk test --severity-threshold=high
+        continue-on-error: true
+
+      - name: Snyk monitor
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.SNYK_TOKEN != ''
+        run: snyk monitor
+        continue-on-error: true
diff --git a/README.md b/README.md
index 73a39bd..4b53394 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,12 @@ npm run test:watch
 npm run test:coverage
 ```
 
+### Security Scanning with Snyk
+
+- CI runs a Snyk scan on pushes and pull requests to help identify known vulnerabilities.
+- Authenticated Snyk scans require a `SNYK_TOKEN` to be configured in the repository secrets.
+- On pull requests from forks, GitHub Actions does not provide repository secrets by default, so Snyk scans may be skipped or run in a limited way unless an alternative authentication approach is configured.
+
 ## Development
 
 ### Local Development Setup