Integrate Snyk for security scanning #179
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change integrates Snyk into the CI/CD pipeline to perform security vulnerability scanning on all projects.
Key changes include:
- Added Snyk CLI installation (using pnpm) and scan steps to the .github/workflows/node.js.yml GitHub Actions workflow.
- Configured Snyk to output results in SARIF format (snyk.sarif).
- Updated README.md to include:
- Information about the Snyk integration.
- Instructions for configuring the SNYK_TOKEN GitHub secret.
- Guidance on running Snyk scans locally for development and testing.
How to test:
1. After these changes are pushed, a Pull Request should be created.
2. Verify that the "Node.js CI" GitHub Action associated with the PR runs successfully.
3. In the GitHub Action logs for the "Run Snyk scan" step:
- Confirm that the Snyk scan executes without errors.
- Check for any reported vulnerabilities.
4. (Optional) If a step to upload SARIF files as build artifacts is added to the workflow, verify that snyk.sarif is available for download.
5. Review the changes in README.md to ensure the documentation regarding Snyk integration, configuration, and local testing is clear, accurate, and complete.
Addresses the ERR_PNPM_NO_GLOBAL_BIN_DIR error during Snyk CLI installation in the GitHub Actions workflow. This commit adds a 'pnpm setup' step before installing global pnpm packages. This ensures that the pnpm global binary directory is correctly configured and added to the PATH, allowing global installations like 'pnpm add -g snyk' to succeed. How to test: 1. Push these changes to the Pull Request. 2. Verify that the "Node.js CI" GitHub Action associated with the PR runs successfully. 3. Specifically, check that the "Install Snyk CLI" step (which runs 'pnpm add -g snyk') completes without the ERR_PNPM_NO_GLOBAL_BIN_DIR error. 4. Confirm that the subsequent "Run Snyk scan" step also executes as expected.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change integrates Snyk into the CI/CD pipeline to perform security vulnerability scanning on all projects.
Key changes include:
How to test:
Pull Request Template
✨ Title
📄 Description
Please explain in detail what this PR does, why it is needed, and how it addresses a specific problem. Include any relevant context and background information.
Checklist
🔗 Contextual Links (optional)
Add any relevant links to tracking tickets, previous discussions, or other resources.
📸 Visuals (optional)
If possible, include images or videos that show the result of your changes.
🔍 Reviewers
Please assign at least one reviewer for this PR. The PR cannot be merged until it is approved by the reviewer(s).