Refactor Snyk scan yaml files

.github/workflows/scheduled-snyk-docker.yaml

@@ -0,0 +1,40 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+  DOCKER_IMAGE: radarbase/radar-schemas-tools
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        continue-on-error: true # To make sure that SARIF upload gets called
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE }}
+          # 'exclude-app-vulns' only tests vulnerabilities in the base image.
+          # Code base vulnerabilities are tested the scheduled-snyk.yaml action.
+          args: >-
+            --file=Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif

.github/workflows/scheduled-snyk.yaml

@@ -0,0 +1,34 @@
+name: Snyk scheduled code base scan
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif

.github/workflows/snyk.yaml

@@ -1,40 +1,27 @@
-name: Snyk test
+name: Snyk test on PR commits
+
 on:
   pull_request:
     branches:
-      - master
+      - main
+      - dev
       - release-*
 
 jobs:
   security:
     runs-on: ubuntu-latest
-
-    defaults:
-      run:
-        working-directory: java-sdk
-
     steps:
       - uses: actions/checkout@v3
-      - uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1032.0
-
-      - uses: actions/setup-java@v3
-        with:
-          distribution: temurin
-          java-version: 17
-
-      - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
 
       - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: >
-          snyk test
-          --all-sub-projects
-          --configuration-matching='^runtimeClasspath$'
-          --org=radar-base
-          --policy-path=.snyk
-          --json-file-output=snyk.json
-          --severity-threshold=high
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk