snyk_sca_scan.yaml

name: Snyk Software Composition Analysis Scan
# This git workflow leverages Snyk actions to perform a Software Composition 
# Analysis scan on our Opensource libraries upon Pull Requests to Master & 
# Develop branches. We use this as a control to prevent vulnerable packages 
# from being introduced into the codebase. 
on:
  pull_request_target:
    types:
      - opened
    branches: 
      - master
jobs:
  Snyk_SCA_Scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [18.x]
    steps:
      - uses: actions/checkout@v2
      - name: Setting up Node
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}
      - name: Installing snyk-delta and dependencies
        run: npm i -g snyk-delta
      - uses: snyk/actions/setup@master
      - name: Perform SCA Scan
        continue-on-error: false
        run: |
          snyk test --all-projects --detection-depth=4 --exclude=docker,Dockerfile --severity-threshold=critical
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}