Skip to content

feat(diagnostics): unified 3-layer DiagnosticResult model (#204) #463

feat(diagnostics): unified 3-layer DiagnosticResult model (#204)

feat(diagnostics): unified 3-layer DiagnosticResult model (#204) #463

Workflow file for this run

# Snyk Security Scan
# Runs on PRs and pushes to main branch
# Enterprise license via Snyk Open Source Program
name: Snyk Security
on:
pull_request:
branches: [main]
schedule:
# Run weekly security scan every Monday at 9 AM UTC
- cron: '0 9 * * 1'
permissions:
contents: read
security-events: write
jobs:
snyk-dependencies:
name: Snyk Dependency Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Snyk CLI
run: npm install -g snyk
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -e ".[full]"
- name: Run Snyk to check for vulnerabilities
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: snyk test --org=${{ secrets.SNYK_ORG_ID }} --severity-threshold=high --sarif-file-output=snyk.sarif
- name: Upload Snyk results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('snyk.sarif') != ''
with:
sarif_file: snyk.sarif
snyk-code:
name: Snyk Code Analysis (SAST)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Snyk CLI
run: npm install -g snyk
- name: Run Snyk Code test
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: snyk code test --org=${{ secrets.SNYK_ORG_ID }} --sarif-file-output=snyk-code.sarif
- name: Upload Snyk Code results
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('snyk-code.sarif') != ''
with:
sarif_file: snyk-code.sarif