Add Snyk security scan workflow

universalbit-dev · web-flow · commit d081c1c056d0 · 2026-06-14T19:46:02.000+02:00
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
@@ -0,0 +1,60 @@
+name: Snyk Security Scan
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+  workflow_dispatch:
+
+jobs:
+  snyk-scan:
+    runs-on: ubuntu-latest
+    environment: snyk  
+    
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+      
+      - name: Verify Snyk token exists
+        run: |
+          if [ -z "${{ secrets.SNYK_TOKEN }}" ]; then
+            echo "❌ ERROR: SNYK_TOKEN secret is not set"
+            exit 1
+          else
+            echo "✅ SNYK_TOKEN secret is configured"
+          fi
+      
+      - name: Install dependencies
+        if: hashFiles('package.json') != ''
+        run: npm install
+      
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --severity-threshold=medium
+      
+      - name: Run Snyk Monitor (track project)
+        if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor
+          args: --all-projects
