SEC-507 MAINT: Updating Snyk actions (#631)

cypresschris · web-flow · commit 0371d5d46ecb · 2023-03-22T12:31:29.000-04:00
diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml
@@ -1,13 +1,10 @@
 name: Snyk Software Composition Analysis Scan
-# This git workflow leverages Snyk actions to perform a Software Composition 
-# Analysis scan on our Opensource libraries upon Pull Requests to Master & 
-# Develop branches. We use this as a control to prevent vulnerable packages 
-# from being introduced into the codebase. 
 on:
-  pull_request_target:
-    types:
-      - opened
-    branches: 
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
       - master
       - develop
 jobs:
@@ -17,17 +14,15 @@ jobs:
       matrix:
         node-version: [16.x]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Setting up Node
-        uses: actions/setup-node@v1
+        #- name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - name: Installing snyk-delta and dependencies
-        run: npm i -g snyk-delta
-      - uses: snyk/actions/setup@master
-      - name: Perform SCA Scan
-        continue-on-error: false
-        run: |
-          snyk test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=critical
+      - name: Run Snyk to check for opensource vulnerabilities
+        uses: snyk/actions/node@master
         env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}
+        with:
+          args: --debug  --strict-out-of-sync=false --detection-depth=6 --exclude=docker,Dockerfile --severity-threshold=critical
diff --git a/.github/workflows/snyk_static_analysis_scan.yaml b/.github/workflows/snyk_static_analysis_scan.yaml
@@ -1,29 +1,22 @@
 name: Snyk Static Analysis Scan
-# This git workflow leverages Snyk actions to perform a Static Application 
-# Testing scan (SAST) on our first-party code upon Pull Requests to Master & 
-# Develop branches. We use this as a control to prevent vulnerabilities 
-# from being introduced into the codebase. 
+# This SAST (Static Application Security Testing) scan is used to scan
+# our first-party code for security vulnerabilities
 on:
-  pull_request_target:
-    types:
-      - opened
-    branches: 
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
       - master
       - develop
 jobs:
-  Snyk_SAST_Scan :
+  Snyk_SAST_Scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: snyk/actions/setup@master
       - name: Perform Static Analysis Test
-        continue-on-error: true
-        run: |
-          snyk code test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=high
         env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      # The Following Requires Advanced Security License
-      # - name: Upload results to Github Code Scanning
-      #   uses: github/codeql-action/upload-sarif@v1
-      #   with:
-      #     sarif_file: snyk_sarif
+          SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}
+        continue-on-error: true
+        run: snyk code test  --strict-out-of-sync=false --detection-depth=6 --exclude=docker,Dockerfile --severity-threshold=high
