snyk-security.yml

---
    name: Snyk Scan
    on:
      pull_request:
      workflow_dispatch:
      push:
        branches: ["main"]
      schedule:
        - cron: "15 12 * * 1"
    
    permissions: read-all
    
    jobs:
      security:
        runs-on: ubuntu-latest
        permissions:
          # required for all workflows
          security-events: write
        steps:
          - name: checkout code
            uses: actions/checkout@v4
            with:
              ref: main
    
          - name: Run Snyk to check for vulnerabilities
            uses: snyk/actions/node@master
            continue-on-error: true
            env:
              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
            with:
              command: test --all-projects
              args: --sarif-file-output=snyk.sarif
  
          - name: Check to see if the SARIF was generated
            id: sarif_file_exists
            uses: andstor/file-existence-action@v2
            with:
              files: "snyk.sarif"
    
          - name: Upload the SARIF file
            uses: github/codeql-action/upload-sarif@v2
            if: steps.sarif_file_exists.outputs.files_exists == 'true'
            with:
              sarif_file: snyk.sarif