SousChef

souschef
.github
workflows

snyk.yml•10 KiB

name: Snyk Security Scan on: # Removed push trigger due to Snyk rate limits on free tier # Only run on scheduled basis (weekly) and manual dispatch to avoid CI failures schedule: # Run weekly on Monday at 2 AM UTC - cron: '0 2 * * 1' workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: PYTHON_VERSION: "3.13" jobs: snyk-test: runs-on: ubuntu-latest timeout-minutes: 15 # Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty permissions: contents: read security-events: write actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install Poetry uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: latest virtualenvs-create: true virtualenvs-in-project: true - name: Install poetry-plugin-export run: poetry self add poetry-plugin-export - name: Cache Poetry dependencies uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 with: path: .venv key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} restore-keys: | ${{ runner.os }}-poetry- - name: Install dependencies run: poetry install --no-interaction - name: Export requirements.txt for Snyk run: poetry export -f requirements.txt --output requirements.txt --without-hashes - name: Run Snyk dependency vulnerability scan id: snyk-sca-scan env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: | set +e snyk test --severity-threshold=high --file=requirements.txt --sarif-file-output=snyk-sca.sarif 2>&1 | tee snyk-sca-output.log EXIT_CODE=$? # Check for rate limit errors (multiple patterns to catch variations) if grep -qiE "(test limit|rate limit|monthly limit|tests per month|limit.*reached|You have reached)" snyk-sca-output.log; then echo "⚠️ Snyk SCA test limit reached. Skipping scan for this run." echo "rate_limit_hit=true" >> $GITHUB_OUTPUT exit 0 fi # Always exit 0 to prevent workflow failure - findings are reported in SARIF # Exit code 0 = no vulns, 1 = vulns found, 2+ = errors # We want to report all findings but not fail the workflow exit 0 - name: Create empty SARIF if missing if: always() run: | if [ ! -f snyk-sca.sarif ] || [ ! -s snyk-sca.sarif ]; then echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"Snyk SCA","version":"1.0.0"}},"results":[]}]}' > snyk-sca.sarif fi - name: Add rate limit notice if: steps.snyk-sca-scan.outputs.rate_limit_hit == 'true' run: | echo "::notice::Snyk SCA test limit reached. Scan skipped for this run. The limit resets periodically." - name: Upload Snyk SCA results to GitHub Code Scanning uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 if: always() with: sarif_file: snyk-sca.sarif category: snyk-sca snyk-code: runs-on: ubuntu-latest timeout-minutes: 15 # Only run on main branch and scheduled runs to conserve test limits if: github.ref == 'refs/heads/main' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' # Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty permissions: contents: read security-events: write actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Snyk CLI uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 - name: Run Snyk Code analysis (SAST) id: snyk-code-scan env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: | set +e # Capture both stdout and stderr to a file for analysis snyk code test souschef/ --sarif-file-output=snyk-code.sarif 2>&1 | tee snyk-code-output.log EXIT_CODE=$? # Check for rate limit errors (multiple patterns to catch variations) if grep -qiE "(code test limit|test limit reached|rate limit|monthly limit|tests per month|limit.*reached|You have reached)" snyk-code-output.log; then echo "⚠️ Snyk Code test limit reached. Skipping scan for this run." echo "rate_limit_hit=true" >> $GITHUB_OUTPUT exit 0 fi # Always exit 0 to prevent workflow failure - findings are reported in SARIF exit 0 - name: Create empty SARIF if missing or rate limited if: always() run: | if [ ! -f snyk-code.sarif ] || [ ! -s snyk-code.sarif ]; then echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"Snyk Code","version":"1.0.0"}},"results":[]}]}' > snyk-code.sarif fi - name: Add rate limit notice if: steps.snyk-code-scan.outputs.rate_limit_hit == 'true' run: | echo "::notice::Snyk Code test limit reached. Scan skipped for this run. The limit resets periodically." - name: Upload Snyk Code results to GitHub Code Scanning uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 if: always() with: sarif_file: snyk-code.sarif category: snyk-code snyk-iac: runs-on: ubuntu-latest timeout-minutes: 10 # Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty permissions: contents: read security-events: write actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Snyk CLI uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 - name: Scan Infrastructure as Code files id: snyk-iac-scan env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: | set +e # Scan any Ansible playbooks in examples snyk iac test examples/ --sarif-file-output=snyk-iac.sarif 2>&1 | tee snyk-iac-output.log EXIT_CODE=$? # Check for rate limit errors (multiple patterns to catch variations) if grep -qiE "(test limit|rate limit|monthly limit|tests per month|limit.*reached|You have reached)" snyk-iac-output.log; then echo "⚠️ Snyk IaC test limit reached. Skipping scan for this run." echo "rate_limit_hit=true" >> $GITHUB_OUTPUT exit 0 fi # Always exit 0 to prevent workflow failure - findings are reported in SARIF exit 0 - name: Create empty SARIF if missing if: always() run: | if [ ! -f snyk-iac.sarif ] || [ ! -s snyk-iac.sarif ]; then echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"Snyk IaC","version":"1.0.0"}},"results":[]}]}' > snyk-iac.sarif fi - name: Add rate limit notice if: steps.snyk-iac-scan.outputs.rate_limit_hit == 'true' run: | echo "::notice::Snyk IaC test limit reached. Scan skipped for this run. The limit resets periodically." - name: Upload Snyk IaC results to GitHub Code Scanning uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4 if: always() with: sarif_file: snyk-iac.sarif category: snyk-iac snyk-monitor: runs-on: ubuntu-latest timeout-minutes: 10 if: github.event_name == 'push' && github.ref == 'refs/heads/main' # Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty permissions: contents: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: ${{ env.PYTHON_VERSION }} - name: Install Poetry uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: latest virtualenvs-create: true virtualenvs-in-project: true - name: Install poetry-plugin-export run: poetry self add poetry-plugin-export - name: Cache Poetry dependencies uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5 with: path: .venv key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }} restore-keys: | ${{ runner.os }}-poetry- - name: Install dependencies run: poetry install --no-interaction - name: Export requirements.txt for Snyk run: poetry export -f requirements.txt --output requirements.txt --without-hashes - name: Register project with Snyk monitoring id: snyk-monitor env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: | set +e snyk monitor --file=requirements.txt --project-name=souschef 2>&1 | tee snyk-monitor-output.log EXIT_CODE=$? # Check for rate limit errors (multiple patterns to catch variations) if grep -qiE "(test limit|rate limit|monthly limit|tests per month|limit.*reached|You have reached)" snyk-monitor-output.log; then echo "⚠️ Snyk monitoring limit reached. Skipping for this run." echo "rate_limit_hit=true" >> $GITHUB_OUTPUT exit 0 fi # Always exit 0 - monitoring endpoint success is informational exit 0 - name: Add rate limit notice for monitoring if: steps.snyk-monitor.outputs.rate_limit_hit == 'true' run: | echo "::notice::Snyk monitoring limit reached. Skipped for this run. The limit resets periodically."

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/kpeacocke/souschef'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

snyk.yml•10 KiB