diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml index eb88f184..172cd7c0 100644 --- a/.github/workflows/snyk_sca_scan.yaml +++ b/.github/workflows/snyk_sca_scan.yaml @@ -1,4 +1,8 @@ name: Snyk Software Composition Analysis Scan +# This git workflow leverages Snyk actions to perform a Software Composition +# Analysis scan on our Opensource libraries upon Pull Requests to Master & +# Develop branches. We use this as a control to prevent vulnerable packages +# from being introduced into the codebase. on: pull_request: branches: @@ -9,17 +13,19 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - node-version: [16.x] + node-version: [20.x] steps: - uses: actions/checkout@v3 - name: Setting up Node - #- name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} - - name: Run Snyk to check for opensource vulnerabilities - uses: snyk/actions/setup@master + - name: Installing snyk-delta and dependencies + run: npm i -g snyk-delta + - uses: snyk/actions/setup@master + - name: Perform SCA Scan + continue-on-error: false run: | - snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=docker,Dockerfile --severity-threshold=critical + snyk test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=critical env: SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}