.github/workflows/snyk.yml

# Run the Snyk scanning on the project only when something
# is pushed into main

name: Snyk scanning
on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  security:
    name: Security scan
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Static Code Analysis
        uses: snyk/actions/golang@0.4.0
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: 'code test'
          args: --sarif-file-output=snyk-static.sarif

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-static.sarif

      - name: Vulnerability scan
        uses: snyk/actions/golang@0.4.0
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk-test.sarif

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk-test.sarif