name: Snyk checks on: push: branches: [main, master, "**/*"] pull_request: branches: ["**/*"] workflow_dispatch: permissions: contents: read security-events: write jobs: snyk-open-source: name: Snyk Open Source (deps) runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: block allowed-endpoints: > api.github.com:443 api.snyk.io:443 downloads.snyk.io:443 files.pythonhosted.org:443 fonts.googleapis.com:443 fonts.gstatic.com:443 github.com:443 iojs.org:443 nodejs.org:443 packages.microsoft.com:443 proxy.golang.org:443 raw.githubusercontent.com:443 registry.npmjs.org:443 release-assets.githubusercontent.com:443 releases.astral.sh:443 static.snyk.io:443 storage.googleapis.com:443 sum.golang.org:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node (for UI) uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "25" - name: Install uv uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: version: "0.11.0" python-version: "3.11" - name: Sync Python dependencies (integrations) working-directory: tests/integrations/python run: uv sync --frozen - name: Setup Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: "1.26.2" - name: Setup Go workspace run: make setup-workspace - name: Build run: make build LOCAL=1 - name: Install Snyk CLI uses: maximhq/snyk-actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 with: snyk-version: v1.1303.2 - name: Snyk test (all projects) env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: snyk test --all-projects --detection-depth=4 --exclude=examples,tests --sarif-file-output=snyk.sarif || true - name: Upload SARIF if: always() && hashFiles('snyk.sarif') != '' uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: snyk.sarif snyk-code: name: Snyk Code (SAST) runs-on: ubuntu-latest steps: - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: egress-policy: block allowed-endpoints: > api.github.com:443 api.snyk.io:443 deeproxy.snyk.io:443 downloads.snyk.io:443 files.pythonhosted.org:443 fonts.googleapis.com:443 fonts.gstatic.com:443 github.com:443 iojs.org:443 nodejs.org:443 packages.microsoft.com:443 proxy.golang.org:443 raw.githubusercontent.com:443 registry.npmjs.org:443 release-assets.githubusercontent.com:443 releases.astral.sh:443 storage.googleapis.com:443 sum.golang.org:443 - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node (for UI) uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "25" - name: Install uv uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 with: version: "0.11.0" python-version: "3.11" - name: Sync Python dependencies (integrations) working-directory: tests/integrations/python run: uv sync --frozen - name: Setup Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version: "1.26.2" - name: Setup Go workspace run: make setup-workspace - name: Build run: make build LOCAL=1 - name: Install Snyk CLI uses: maximhq/snyk-actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 with: snyk-version: v1.1303.2 - name: Snyk Code test env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} run: snyk code test --sarif-file-output=snyk-code.sarif || true - name: Upload SARIF if: always() && hashFiles('snyk-code.sarif') != '' uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: snyk-code.sarif