ci: 🧷 Create snyk-security.yml

[Anselmoo]

All PR-Submissions:

---

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open
  Pull Requests for the same
  update/change?

New ✨✨ Feature-Submissions:

---

• Does your submission pass tests?
• Have you lint your code locally prior to submission? Fixed:
• This PR is for a new feature, not a bug fix.

Changes to ⚙️ Core-Features:

---

• Have you added an explanation of what your changes do and why you'd like
  us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you successfully run tests with your changes locally?

Summary by Sourcery

This pull request introduces a new GitHub Actions workflow to integrate Snyk security scanning into the CI pipeline. The workflow will analyze code, open source dependencies, containers, and infrastructure as code for security issues, and upload the results to GitHub Security Code Scanning.

• CI:
  • Added a new GitHub Actions workflow to integrate Snyk security scanning for code, open source dependencies, containers, and infrastructure as code.

[semanticdiff-com]

Review changes with SemanticDiff.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request introduces a new GitHub Actions workflow file named snyk-security.yml to integrate Snyk security scanning into the CI pipeline. The workflow is designed to run on pushes to the main and gh-pages branches, as well as on pull requests targeting the main branch. It sets up the Snyk CLI to perform various security analyses, including SAST, SCA, IaC, and container security scans, and uploads the results to GitHub Security Code Scanning and Snyk.

File-Level Changes

Files	Changes
.github/workflows/snyk-security.yml	Introduced a new GitHub Actions workflow for comprehensive Snyk security scanning, including SAST, SCA, IaC, and container security analyses, with results uploaded to GitHub Security Code Scanning and Snyk.

---

Tips

• Trigger a new Sourcery review by commenting @sourcery-ai review on the pull request.
• Continue your discussion with Sourcery by replying directly to review comments.
• You can change your review settings at any time by accessing your dashboard:
  • Enable or disable the Sourcery-generated pull request summary or reviewer's guide;
  • Change the review language;
• You can always contact us if you have any questions or feedback.

[sourcery-ai]

Hey @Anselmoo - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• Docker build command syntax issue (link)

Here's what I looked at during the review

• 🔴 General issues: 1 blocking issue, 5 other issues
• 🟢 Security: all looks good
• 🟢 Testing: all looks good
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.}

[sourcery-ai]

suggestion (performance): Consider limiting branch triggers

Triggering the workflow on every push to 'main' and 'gh-pages' might be too broad. Consider limiting it to specific branches or tags to avoid unnecessary runs.

Suggested change

	branches: ["main", "gh-pages"]
	branches:
	- main
	- gh-pages
	- 'releases/*'

[sourcery-ai]

issue (bug_risk): Docker build command syntax issue

The Docker build command should be docker build -t <tag> . instead of docker build -t ./Dockerfile .. The -t flag is for tagging the image, not specifying the Dockerfile.

[sourcery-ai]

suggestion (bug_risk): Consider handling Snyk command failures

Using || true to ignore failures might hide critical issues. Consider handling failures more gracefully or logging them for further inspection.

Suggested change

	run: snyk code test --sarif > snyk-code.sarif # || true
	run: |
	snyk code test --sarif > snyk-code.sarif || {
	echo "Snyk Code test failed. Please check the logs for more details.";
	exit 1;
	}

[sourcery-ai]

suggestion (bug_risk): Consider handling Snyk IaC command failures

Using || true to ignore failures might hide critical issues. Consider handling failures more gracefully or logging them for further inspection.

Suggested change

	run: snyk iac test --report # || true
	run: |
	snyk iac test --report || echo "Snyk IaC test failed, but continuing pipeline" >> snyk_iac_errors.log

[sourcery-ai]

suggestion: Redundant Dockerfile path

The --file=Dockerfile flag is redundant when the Dockerfile is in the default location. Consider removing it for simplicity.

Suggested change

	run: snyk container monitor ./Dockerfile --file=Dockerfile
	run: snyk container monitor ./Dockerfile

[sourcery-ai]

suggestion: Pinning actions to a specific commit

Pinning actions to a specific commit ensures stability but might miss out on important updates. Consider using a version tag for a balance between stability and updates.

Suggested change

	uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
	uses: snyk/actions/setup@v1

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (acf6f83) to head (c9d35b7).

Additional details and impacted files

@@            Coverage Diff            @@
##              main     #1406   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           44        44           
  Lines         4467      4467           
=========================================
  Hits          4467      4467           

Flag	Coverage Δ
unittests	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.