name: Snyk Security Scan
on:
push:
branches:
- main
paths-ignore:
- '**.md'
- 'docs/**'
- 'examples/**'
- 'LICENSE'
pull_request:
branches:
- main
- develop
paths-ignore:
- '**.md'
- 'docs/**'
- 'examples/**'
- 'LICENSE'
schedule:
# Run weekly on Monday at 2 AM UTC
- cron: '0 2 * * 1'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
PYTHON_VERSION: "3.14"
jobs:
snyk-test:
runs-on: ubuntu-latest
timeout-minutes: 15
# Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v6
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
with:
version: latest
virtualenvs-create: true
virtualenvs-in-project: true
- name: Install poetry-plugin-export
run: poetry self add poetry-plugin-export
- name: Cache Poetry dependencies
uses: actions/cache@v5
with:
path: .venv
key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
restore-keys: |
${{ runner.os }}-poetry-
- name: Install dependencies
run: poetry install --no-interaction
- name: Export requirements.txt for Snyk
run: poetry export -f requirements.txt --output requirements.txt --without-hashes
- name: Run Snyk dependency vulnerability scan
uses: snyk/actions/python@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high --file=requirements.txt --sarif-file-output=snyk-sca.sarif
- name: Create empty SARIF if missing
if: always()
run: |
if [ ! -f snyk-sca.sarif ] || [ ! -s snyk-sca.sarif ]; then
echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"Snyk SCA","version":"1.0.0"}},"results":[]}]}' > snyk-sca.sarif
fi
- name: Upload Snyk SCA results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: snyk-sca.sarif
category: snyk-sca
snyk-code:
runs-on: ubuntu-latest
timeout-minutes: 15
# Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Snyk CLI
uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
- name: Run Snyk Code analysis (SAST)
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: snyk code test --sarif-file-output=snyk-code.sarif
- name: Create empty SARIF if missing
if: always()
run: |
if [ ! -f snyk-code.sarif ] || [ ! -s snyk-code.sarif ]; then
echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"Snyk Code","version":"1.0.0"}},"results":[]}]}' > snyk-code.sarif
fi
- name: Upload Snyk Code results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: snyk-code.sarif
category: snyk-code
snyk-iac:
runs-on: ubuntu-latest
timeout-minutes: 10
# Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Install Snyk CLI
uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
- name: Scan Infrastructure as Code files
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
# Scan any Ansible playbooks in examples
snyk iac test examples/ --sarif-file-output=snyk-iac.sarif || true
- name: Create empty SARIF if missing
if: always()
run: |
if [ ! -f snyk-iac.sarif ] || [ ! -s snyk-iac.sarif ]; then
echo '{"version":"2.1.0","$schema":"https://json.schemastore.org/sarif-2.1.0.json","runs":[{"tool":{"driver":{"name":"Snyk IaC","version":"1.0.0"}},"results":[]}]}' > snyk-iac.sarif
fi
- name: Upload Snyk IaC results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: snyk-iac.sarif
category: snyk-iac
snyk-monitor:
runs-on: ubuntu-latest
timeout-minutes: 10
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
# Note: SNYK_TOKEN check happens implicitly - job will skip if token is empty
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v6
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install Poetry
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
with:
version: latest
virtualenvs-create: true
virtualenvs-in-project: true
- name: Install poetry-plugin-export
run: poetry self add poetry-plugin-export
- name: Cache Poetry dependencies
uses: actions/cache@v5
with:
path: .venv
key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
restore-keys: |
${{ runner.os }}-poetry-
- name: Install dependencies
run: poetry install --no-interaction
- name: Export requirements.txt for Snyk
run: poetry export -f requirements.txt --output requirements.txt --without-hashes
- name: Register project with Snyk monitoring
uses: snyk/actions/python@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
args: --file=requirements.txt --project-name=souschef
