snyk-security.yml

name: Snyk Security

on:
  push:
    branches: ["main" ]
  pull_request:

permissions:
  contents: read

jobs:
  snyk:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3
      
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: "3.11"

      - name: Set up Snyk CLI to check for security issues
        # Snyk can be used to break the build when it detects security issues.
        # In this case we want to upload the SAST issues to GitHub Code Scanning
        uses: snyk/actions/setup@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Install and configure Poetry
        uses: snok/install-poetry@v1

      - name: Install dependencies
        run: |
          poetry install

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/python-3.10@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --skip-unresolved --severity-threshold=high --sarif-file-output=snyk.sarif
          command: test --all-projects

      # - name: Upload result to GitHub Code Scanning
      #   uses: github/codeql-action/upload-sarif@v2
      #   with:
      #     sarif_file: snyk.sarif