From 303709111d083b8c1fad4184b4fc9ce293a8e2e7 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Wed, 28 Jan 2026 09:25:19 -0500 Subject: [PATCH 1/3] Add Snyk SCA and SAST pipeline workflows for GitHub Actions and Azure DevOps --- .github/workflows/snyk-sca-sast-demo.yml | 198 +++++++++++++++++ azure-pipelines-snyk-sca-sast-demo.yml | 258 +++++++++++++++++++++++ 2 files changed, 456 insertions(+) create mode 100644 .github/workflows/snyk-sca-sast-demo.yml create mode 100644 azure-pipelines-snyk-sca-sast-demo.yml diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml new file mode 100644 index 00000000000..347ba97c370 --- /dev/null +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -0,0 +1,198 @@ +name: Snyk SCA and SAST Security Pipeline + +# ============================================================================ +# TRIGGER CONFIGURATION +# ============================================================================ +# This workflow runs on: +# - Every push to main/master branches (typical for production deployments) +# - Pull requests targeting main/master (for pre-merge security validation) +# - Manual trigger via workflow_dispatch (for on-demand testing) +on: + push: + branches: [ main, master ] + pull_request: + branches: [ main, master ] + workflow_dispatch: + +# ============================================================================ +# SNYK OPEN SOURCE (SCA) SCAN JOB +# ============================================================================ +# Software Composition Analysis (SCA) scans your open-source dependencies +# for known vulnerabilities in third-party packages +jobs: + snyk-sca-scan: + name: Snyk Open Source (SCA) Scan + runs-on: ubuntu-latest + + # Required permissions for GitHub integration + permissions: + contents: read + security-events: write + + steps: + # Step 1: Check out the repository code + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Set up Node.js environment (required for npm projects) + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + + # Step 3: Install project dependencies + # This ensures Snyk can analyze the actual dependency tree + - name: Install dependencies + run: npm install + + # Step 4: Install and configure Snyk CLI + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + # Step 5: Authenticate with Snyk using organization token + # SNYK_TOKEN should be configured as a GitHub secret + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 6: Run Snyk Open Source TEST + # This scans dependencies and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # --all-projects: Scan all package manager manifests in the repo + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the step below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continue-on-error: true' to enforce the block + # - name: Snyk Open Source Test (Block on High+) + # run: | + # snyk test \ + # --severity-threshold=high \ + # --all-projects \ + # --org=${{ secrets.SNYK_ORG_ID }} + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - name: Snyk Open Source Test (Report Only) + continue-on-error: true + run: | + snyk test \ + --severity-threshold=high \ + --all-projects \ + --org=${{ secrets.SNYK_ORG_ID }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 7: Run Snyk Open Source MONITOR + # This sends results to Snyk Dashboard for continuous monitoring + # Runs even if test fails (continue-on-error: true) + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking different environments + - name: Snyk Open Source Monitor (Send to Dashboard) + continue-on-error: true + run: | + snyk monitor \ + --all-projects \ + --org=${{ secrets.SNYK_ORG_ID }} \ + --project-name="nodejs-goof-sca" \ + --target-reference=${{ github.ref_name }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + +# ============================================================================ +# SNYK CODE (SAST) SCAN JOB +# ============================================================================ +# Static Application Security Testing (SAST) analyzes your first-party code +# for security vulnerabilities and code quality issues + snyk-code-scan: + name: Snyk Code (SAST) Scan + runs-on: ubuntu-latest + + # Required permissions for GitHub integration + permissions: + contents: read + security-events: write + + steps: + # Step 1: Check out the repository code + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Install and configure Snyk CLI + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + # Step 3: Authenticate with Snyk using organization token + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 4: Run Snyk Code TEST + # This scans your source code and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # Snyk Code analyzes: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, etc. + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the step below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continue-on-error: true' to enforce the block + # - name: Snyk Code Test (Block on High+) + # run: | + # snyk code test \ + # --severity-threshold=high \ + # --org=${{ secrets.SNYK_ORG_ID }} + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - name: Snyk Code Test (Report Only) + continue-on-error: true + run: | + snyk code test \ + --severity-threshold=high \ + --org=${{ secrets.SNYK_ORG_ID }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 5: Run Snyk Code MONITOR (using snyk monitor with --unmanaged flag) + # This sends SAST results to Snyk Dashboard for continuous monitoring + # Note: Snyk Code results are included when using 'snyk monitor' + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking + - name: Snyk Code Monitor (Send to Dashboard) + continue-on-error: true + run: | + snyk monitor \ + --org=${{ secrets.SNYK_ORG_ID }} \ + --project-name="nodejs-goof-sast" \ + --target-reference=${{ github.ref_name }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + +# ============================================================================ +# REQUIRED GITHUB SECRETS +# ============================================================================ +# To use this pipeline, configure these secrets in your GitHub repository: +# Settings > Secrets and variables > Actions > New repository secret +# +# 1. SNYK_TOKEN: Your Snyk API token +# - Get from: https://app.snyk.io/account (Account Settings > API Token) +# - Format: UUID string (e.g., 12345678-1234-1234-1234-123456789abc) +# +# 2. SNYK_ORG_ID: Your Snyk Organization ID (optional but recommended) +# - Get from: https://app.snyk.io/org/YOUR_ORG/manage/settings +# - Format: UUID string or organization slug +# - If not set, uses your default organization +# +# ============================================================================ +# DEMO TALKING POINTS +# ============================================================================ +# 1. SHIFT-LEFT SECURITY: Scans run on every commit and PR before merge +# 2. DUAL SCANNING: Both SCA (dependencies) and SAST (your code) in one pipeline +# 3. FAIL-FAST: Pipeline blocks on high/critical vulnerabilities +# 4. CONTINUOUS MONITORING: Results sent to Snyk Dashboard for tracking over time +# 5. DEVELOPER FRIENDLY: Clear feedback in PR checks and GitHub Actions UI +# 6. CUSTOMIZABLE: Adjust severity thresholds, add more Snyk scans (Container, IaC) diff --git a/azure-pipelines-snyk-sca-sast-demo.yml b/azure-pipelines-snyk-sca-sast-demo.yml new file mode 100644 index 00000000000..6840b592c29 --- /dev/null +++ b/azure-pipelines-snyk-sca-sast-demo.yml @@ -0,0 +1,258 @@ +# ============================================================================ +# AZURE DEVOPS PIPELINE - SNYK SCA AND SAST SECURITY SCANNING +# ============================================================================ +# This pipeline performs Software Composition Analysis (SCA) and +# Static Application Security Testing (SAST) using Snyk +# +# IMPORTANT: This is the Azure DevOps/TFS equivalent of the GitHub Actions workflow +# Key differences from GitHub Actions: +# - Uses 'trigger' instead of 'on' +# - Uses 'jobs' with 'steps' instead of GitHub Actions syntax +# - Uses 'script' or 'task' instead of 'run' +# - Variables are defined differently +# - Secrets accessed via $(VARIABLE_NAME) instead of ${{ secrets.NAME }} + +# ============================================================================ +# TRIGGER CONFIGURATION +# ============================================================================ +# This pipeline runs on: +# - Every push to main/master branches (CI trigger) +# - Pull requests targeting main/master (PR validation) +# - Manual trigger via Azure DevOps UI +trigger: + branches: + include: + - main + - master + +pr: + branches: + include: + - main + - master + +# ============================================================================ +# PIPELINE VARIABLES +# ============================================================================ +# Define variables used throughout the pipeline +# SNYK_TOKEN should be configured as a secret variable in Azure DevOps: +# Pipeline > Edit > Variables > New variable > Keep this value secret +variables: + nodeVersion: '18.x' + # SNYK_TOKEN: Configured as secret variable in Azure DevOps + # SNYK_ORG_ID: Configured as variable in Azure DevOps (optional) + +# ============================================================================ +# AGENT POOL CONFIGURATION +# ============================================================================ +# Specifies the build agent to use (equivalent to 'runs-on' in GitHub Actions) +pool: + vmImage: 'ubuntu-latest' + +# ============================================================================ +# PIPELINE STAGES AND JOBS +# ============================================================================ +stages: + # ========================================================================== + # STAGE 1: SNYK OPEN SOURCE (SCA) SCAN + # ========================================================================== + # Software Composition Analysis (SCA) scans your open-source dependencies + # for known vulnerabilities in third-party packages + - stage: SnykSCA + displayName: 'Snyk Open Source (SCA) Scan' + jobs: + - job: SCA_Scan + displayName: 'SCA Security Scan' + steps: + # Step 1: Check out the repository code + - checkout: self + displayName: 'Checkout code' + + # Step 2: Set up Node.js environment (required for npm projects) + - task: NodeTool@0 + displayName: 'Setup Node.js' + inputs: + versionSpec: '$(nodeVersion)' + + # Step 3: Install project dependencies + # This ensures Snyk can analyze the actual dependency tree + - script: npm install + displayName: 'Install dependencies' + + # Step 4: Install Snyk CLI + # Azure DevOps doesn't have a built-in Snyk action, so we install via npm + - script: npm install -g snyk + displayName: 'Install Snyk CLI' + + # Step 5: Authenticate with Snyk using organization token + # SNYK_TOKEN should be configured as a secret variable in Azure DevOps + - script: snyk auth $(SNYK_TOKEN) + displayName: 'Authenticate Snyk' + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 6: Run Snyk Open Source TEST + # This scans dependencies and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # --all-projects: Scan all package manager manifests in the repo + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the script below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continueOnError: true' to enforce the block + # - script: | + # snyk test \ + # --severity-threshold=high \ + # --all-projects \ + # --org=$(SNYK_ORG_ID) + # displayName: 'Snyk Open Source Test (Block on High+)' + # env: + # SNYK_TOKEN: $(SNYK_TOKEN) + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - script: | + snyk test \ + --severity-threshold=high \ + --all-projects \ + --org=$(SNYK_ORG_ID) || true + displayName: 'Snyk Open Source Test (Report Only)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 7: Run Snyk Open Source MONITOR + # This sends results to Snyk Dashboard for continuous monitoring + # Runs even if test fails (continueOnError: true) + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking different environments + - script: | + snyk monitor \ + --all-projects \ + --org=$(SNYK_ORG_ID) \ + --project-name="nodejs-goof-sca" \ + --target-reference=$(Build.SourceBranchName) + displayName: 'Snyk Open Source Monitor (Send to Dashboard)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # ========================================================================== + # STAGE 2: SNYK CODE (SAST) SCAN + # ========================================================================== + # Static Application Security Testing (SAST) analyzes your first-party code + # for security vulnerabilities and code quality issues + - stage: SnykCode + displayName: 'Snyk Code (SAST) Scan' + dependsOn: [] # Run in parallel with SCA stage + jobs: + - job: SAST_Scan + displayName: 'SAST Security Scan' + steps: + # Step 1: Check out the repository code + - checkout: self + displayName: 'Checkout code' + + # Step 2: Install Snyk CLI + - script: npm install -g snyk + displayName: 'Install Snyk CLI' + + # Step 3: Authenticate with Snyk using organization token + - script: snyk auth $(SNYK_TOKEN) + displayName: 'Authenticate Snyk' + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 4: Run Snyk Code TEST + # This scans your source code and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # Snyk Code analyzes: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, etc. + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the script below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continueOnError: true' to enforce the block + # - script: | + # snyk code test \ + # --severity-threshold=high \ + # --org=$(SNYK_ORG_ID) + # displayName: 'Snyk Code Test (Block on High+)' + # env: + # SNYK_TOKEN: $(SNYK_TOKEN) + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - script: | + snyk code test \ + --severity-threshold=high \ + --org=$(SNYK_ORG_ID) || true + displayName: 'Snyk Code Test (Report Only)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 5: Run Snyk Code MONITOR + # This sends SAST results to Snyk Dashboard for continuous monitoring + # Note: Snyk Code results are included when using 'snyk monitor' + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking + - script: | + snyk monitor \ + --org=$(SNYK_ORG_ID) \ + --project-name="nodejs-goof-sast" \ + --target-reference=$(Build.SourceBranchName) + displayName: 'Snyk Code Monitor (Send to Dashboard)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + +# ============================================================================ +# REQUIRED AZURE DEVOPS VARIABLES +# ============================================================================ +# To use this pipeline, configure these variables in Azure DevOps: +# Pipeline > Edit > Variables > New variable +# +# 1. SNYK_TOKEN (SECRET): Your Snyk API token +# - Get from: https://app.snyk.io/account (Account Settings > API Token) +# - Format: UUID string (e.g., 12345678-1234-1234-1234-123456789abc) +# - IMPORTANT: Check "Keep this value secret" when creating the variable +# +# 2. SNYK_ORG_ID (OPTIONAL): Your Snyk Organization ID +# - Get from: https://app.snyk.io/org/YOUR_ORG/manage/settings +# - Format: UUID string or organization slug +# - If not set, uses your default organization +# +# ============================================================================ +# KEY DIFFERENCES FROM GITHUB ACTIONS +# ============================================================================ +# 1. SYNTAX: +# - GitHub: 'on:' → Azure DevOps: 'trigger:' and 'pr:' +# - GitHub: 'jobs:' → Azure DevOps: 'stages:' and 'jobs:' +# - GitHub: 'runs-on:' → Azure DevOps: 'pool:' +# - GitHub: 'steps: - name:' → Azure DevOps: 'steps: - script:' or 'task:' +# +# 2. SECRETS: +# - GitHub: ${{ secrets.SNYK_TOKEN }} → Azure DevOps: $(SNYK_TOKEN) +# - Configured in: Pipeline > Variables (not repository secrets) +# +# 3. CONTEXT VARIABLES: +# - GitHub: ${{ github.ref_name }} → Azure DevOps: $(Build.SourceBranchName) +# - GitHub: ${{ github.sha }} → Azure DevOps: $(Build.SourceVersion) +# +# 4. ACTIONS vs TASKS: +# - GitHub uses pre-built actions (e.g., actions/checkout@v4) +# - Azure DevOps uses tasks or direct script commands +# - No native Snyk task, so we use 'npm install -g snyk' +# +# 5. PARALLEL EXECUTION: +# - GitHub: Jobs run in parallel by default +# - Azure DevOps: Use 'dependsOn: []' to run stages in parallel +# +# ============================================================================ +# DEMO TALKING POINTS +# ============================================================================ +# 1. SHIFT-LEFT SECURITY: Scans run on every commit and PR before merge +# 2. DUAL SCANNING: Both SCA (dependencies) and SAST (your code) in one pipeline +# 3. FAIL-FAST: Pipeline blocks on high/critical vulnerabilities (when enabled) +# 4. CONTINUOUS MONITORING: Results sent to Snyk Dashboard for tracking over time +# 5. DEVELOPER FRIENDLY: Clear feedback in PR checks and Azure DevOps UI +# 6. CROSS-PLATFORM: Works with Azure DevOps Server (TFS) and Azure DevOps Services +# 7. CUSTOMIZABLE: Adjust severity thresholds, add more Snyk scans (Container, IaC) From 7cf9dade6f2264e742a4624b378ca6774a590a69 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Wed, 28 Jan 2026 09:35:16 -0500 Subject: [PATCH 2/3] Fix SCA project name and clarify SAST monitoring behavior --- .github/workflows/snyk-sca-sast-demo.yml | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml index 347ba97c370..75a06c58319 100644 --- a/.github/workflows/snyk-sca-sast-demo.yml +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -21,7 +21,7 @@ on: # for known vulnerabilities in third-party packages jobs: snyk-sca-scan: - name: Snyk Open Source (SCA) Scan + name: SCA - Snyk Open Source Scan runs-on: ubuntu-latest # Required permissions for GitHub integration @@ -94,7 +94,6 @@ jobs: continue-on-error: true run: | snyk monitor \ - --all-projects \ --org=${{ secrets.SNYK_ORG_ID }} \ --project-name="nodejs-goof-sca" \ --target-reference=${{ github.ref_name }} @@ -107,7 +106,7 @@ jobs: # Static Application Security Testing (SAST) analyzes your first-party code # for security vulnerabilities and code quality issues snyk-code-scan: - name: Snyk Code (SAST) Scan + name: SAST - Snyk Code Scan runs-on: ubuntu-latest # Required permissions for GitHub integration @@ -157,20 +156,11 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # Step 5: Run Snyk Code MONITOR (using snyk monitor with --unmanaged flag) - # This sends SAST results to Snyk Dashboard for continuous monitoring - # Note: Snyk Code results are included when using 'snyk monitor' - # --project-name: Custom name visible in Snyk UI - # --target-reference: Git branch/tag for tracking - - name: Snyk Code Monitor (Send to Dashboard) - continue-on-error: true - run: | - snyk monitor \ - --org=${{ secrets.SNYK_ORG_ID }} \ - --project-name="nodejs-goof-sast" \ - --target-reference=${{ github.ref_name }} - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # Step 5: Snyk Code Results Automatically Sent to Dashboard + # IMPORTANT: Snyk Code (SAST) does NOT use 'snyk monitor' + # The 'snyk code test' command above automatically sends results to the Snyk Dashboard + # No separate monitor step is needed for SAST - results appear in the Code Analysis section + # You can view them at: https://app.snyk.io/org/YOUR_ORG/projects (filter by "Code analysis") # ============================================================================ # REQUIRED GITHUB SECRETS From 416192aa9bef73e9531f80fea9a09149ff4a6dd8 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Wed, 28 Jan 2026 10:05:48 -0500 Subject: [PATCH 3/3] Add --report flag to SCA and SAST scans to persist results to Snyk Dashboard --- .github/workflows/snyk-sca-sast-demo.yml | 57 +++++++++++------------- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml index 75a06c58319..8bddba28f17 100644 --- a/.github/workflows/snyk-sca-sast-demo.yml +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -68,33 +68,25 @@ jobs: # run: | # snyk test \ # --severity-threshold=high \ - # --all-projects \ - # --org=${{ secrets.SNYK_ORG_ID }} + # --report \ + # --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + # --project-name="nodejs-goof-sca" \ + # --target-reference=${{ github.ref_name }} # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # MONITOR-ONLY MODE (CURRENTLY ACTIVE) - # This version runs the test but doesn't block the pipeline - - name: Snyk Open Source Test (Report Only) - continue-on-error: true - run: | - snyk test \ - --severity-threshold=high \ - --all-projects \ - --org=${{ secrets.SNYK_ORG_ID }} - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Step 7: Run Snyk Open Source MONITOR - # This sends results to Snyk Dashboard for continuous monitoring - # Runs even if test fails (continue-on-error: true) + # REPORT-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test, reports to dashboard, but doesn't block the pipeline + # --report: Sends results to Snyk Dashboard for continuous monitoring # --project-name: Custom name visible in Snyk UI # --target-reference: Git branch/tag for tracking different environments - - name: Snyk Open Source Monitor (Send to Dashboard) + - name: Snyk Open Source Test & Report (Send to Dashboard) continue-on-error: true run: | - snyk monitor \ - --org=${{ secrets.SNYK_ORG_ID }} \ + snyk test \ + --severity-threshold=high \ + --report \ + --org=2c2549f7-de55-4c31-aaea-bea685244487 \ --project-name="nodejs-goof-sca" \ --target-reference=${{ github.ref_name }} env: @@ -141,26 +133,31 @@ jobs: # run: | # snyk code test \ # --severity-threshold=high \ - # --org=${{ secrets.SNYK_ORG_ID }} + # --report \ + # --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + # --project-name="nodejs-goof-sast" # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # MONITOR-ONLY MODE (CURRENTLY ACTIVE) - # This version runs the test but doesn't block the pipeline - - name: Snyk Code Test (Report Only) + # REPORT-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test, reports to dashboard, but doesn't block the pipeline + # --report: Sends SAST results to Snyk Dashboard for continuous monitoring + # --project-name: Custom name visible in Snyk UI (required for --report) + - name: Snyk Code Test & Report (Send to Dashboard) continue-on-error: true run: | snyk code test \ --severity-threshold=high \ - --org=${{ secrets.SNYK_ORG_ID }} + --report \ + --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + --project-name="nodejs-goof-sast" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # Step 5: Snyk Code Results Automatically Sent to Dashboard - # IMPORTANT: Snyk Code (SAST) does NOT use 'snyk monitor' - # The 'snyk code test' command above automatically sends results to the Snyk Dashboard - # No separate monitor step is needed for SAST - results appear in the Code Analysis section - # You can view them at: https://app.snyk.io/org/YOUR_ORG/projects (filter by "Code analysis") + # Step 5: SAST Results Sent to Dashboard + # The --report flag above sends Snyk Code results to the Snyk Dashboard + # Results will appear at: https://app.snyk.io/org/varner-tech-engineering/projects + # Look for project name: nodejs-goof-sast # ============================================================================ # REQUIRED GITHUB SECRETS