Skip to content

chore: integrate snyk security scanning via GitHub Actions #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Aaravanand00 wants to merge 1 commit into
base: main
Choose a base branch
from
+55 −0
Open

chore: integrate snyk security scanning via GitHub Actions #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions .github/workflows/snyk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Snyk Security Scan

on:
push:
branches: [ main ]
pull_request:

permissions: {}

jobs:
snyk:
runs-on: ubuntu-latest
permissions:
contents: read
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All other workflows add a "Harden the runner" step via step-security/harden-runner (e.g., .github/workflows/codeql.yml:42-46), but this workflow does not. Consider adding the same hardening step (and egress policy) here to keep runner security consistent across CI workflows.

Suggested change
- name: Harden the runner
uses: step-security/harden-runner@v2
with:
egress-policy: audit

Copilot uses AI. Check for mistakes.
- name: Setup Node.js
if: hashFiles('package.json') != ''
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 20
cache: 'npm'

- name: Install dependencies
if: hashFiles('package.json') != ''
run: npm ci

- name: Setup Snyk
if: env.SNYK_TOKEN != ''
uses: snyk/actions/setup@b98263eb70355f69f2e718b56d354966d5b08c9f # v3

- name: Run Snyk test
if: env.SNYK_TOKEN != ''
run: snyk test --severity-threshold=high
continue-on-error: true

Comment on lines +41 to +45
Copy link

Copilot AI Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SNYK_TOKEN is injected for all pull_request runs. For PRs originating from forks, repository secrets are unavailable so this step will consistently error (even if the job stays green due to continue-on-error), creating noisy logs and effectively skipping scanning. Gate Snyk steps on the presence of the secret (e.g., if: secrets.SNYK_TOKEN != '') and/or skip PR runs from forks so the workflow behaves predictably.

Copilot uses AI. Check for mistakes.
- name: Snyk monitor
if: github.event_name == 'push' && github.ref == 'refs/heads/main' && env.SNYK_TOKEN != ''
run: snyk monitor
continue-on-error: true
6 changes: 6 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,12 @@ npm run test:watch
npm run test:coverage
```

### Security Scanning with Snyk

- CI runs a Snyk scan on pushes and pull requests to help identify known vulnerabilities.
- Authenticated Snyk scans require a `SNYK_TOKEN` to be configured in the repository secrets.
- On pull requests from forks, GitHub Actions does not provide repository secrets by default, so Snyk scans may be skipped or run in a limited way unless an alternative authentication approach is configured.

## Development

### Local Development Setup
Expand Down