chore: add Snyk security scanning and dependency review workflows

[c-warren]

Summary

• Adds Snyk vulnerability scanning on PRs (advisory, non-blocking) with results uploaded to the GitHub Security tab via SARIF
• Runs snyk monitor on pushes to the default branch to register a dependency snapshot in Snyk for ongoing tracking
• Adds dependency-review-action on PRs to surface newly introduced dependencies and any known vulnerabilities in them

Prerequisites

SNYK_TOKEN must be added to this repository's GitHub Actions secrets (Settings → Secrets and variables → Actions) before the Snyk jobs will succeed.

[gitar-bot]

CI failed: The CI workflow is failing because it references an invalid Snyk action path that does not exist in the repository's configuration.

Overview

A single failure pattern was identified in the Snyk security workflow setup, where the GitHub Action runner cannot locate the specified action definition, causing the job to fail immediately.

Failures

Invalid Snyk Action Path (confidence: high)

• Type: configuration
• Affected jobs: 76058139885
• Related to change: yes
• Root cause: The workflow file references snyk/actions/gradle-jdk8@master, but this path does not exist within the Snyk actions repository.
• Suggested fix: Update the workflow to use the correct action path (e.g., snyk/actions/gradle) or switch to using the Snyk CLI via a standard shell run command.

Summary

• Change-related failures: 1 failure due to an incorrect configuration of the new Snyk security scanning workflow.
• Infrastructure/flaky failures: 0
• Recommended action: Correct the action path in the .github/workflows/ configuration file to point to the validated Snyk action or replace it with the recommended CLI-based execution method.

Code Review ⚠️ Changes requested 0 resolved / 2 findings

Adds Snyk security scanning and dependency review workflows, but requires pinning actions to immutable tags to prevent supply-chain risks and needs an updated conditional check to ensure SARIF upload succeeds on all push events.

⚠️ Security: Snyk action pinned to mutable @master ref

📄 .github/workflows/snyk-security.yml:19 📄 .github/workflows/snyk-security.yml:32

The snyk/actions/gradle-jdk8@master reference (lines 19 and 32) tracks a mutable branch. A compromised or force-pushed upstream master could inject arbitrary code into the workflow with access to the SNYK_TOKEN secret and security-events: write permission. Pin to a specific commit SHA (or at minimum a release tag) to prevent supply-chain attacks.

The actions/checkout@v4 and other actions already use tags; Snyk should follow the same pattern.

Pin the Snyk action to a specific commit SHA (look up the latest release SHA from https://github.com/snyk/actions/releases and substitute it).

- uses: snyk/actions/gradle-jdk8@<full-commit-sha>  # tag: vX.Y.Z

⚠️ Edge Case: SARIF upload fails if snyk step is skipped on push

📄 .github/workflows/snyk-security.yml:17-31

On a push event the Snyk scan step (line 17-28) is skipped due to if: github.event_name == 'pull_request', so snyk.sarif is never created. The upload step (line 25-28) also has the same if guard, so today it won't run — but if that guard is ever removed or if a future step references the file, the job would fail. More importantly, on push the snyk monitor step (line 30) runs but produces no SARIF, so code-scanning results for the default branch are never uploaded to the Security tab. Consider running both snyk test --sarif-file-output and snyk monitor on push events (or uploading on push as well) so that the Security tab reflects the default-branch state.

Run the scan + SARIF upload unconditionally (on both push and PR) so the Security tab is populated for the default branch too, and keep `monitor` only on push.

- name: Run Snyk to check for vulnerabilities
  uses: snyk/actions/gradle-jdk8@<pinned-sha>
  continue-on-error: true
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    args: --severity-threshold=high --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: snyk.sarif
- name: Monitor on default branch
  if: github.event_name == 'push'
  uses: snyk/actions/gradle-jdk8@<pinned-sha>
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    command: monitor

🤖 Prompt for agents

Code Review: Adds Snyk security scanning and dependency review workflows, but requires pinning actions to immutable tags to prevent supply-chain risks and needs an updated conditional check to ensure SARIF upload succeeds on all push events.

1. ⚠️ Security: Snyk action pinned to mutable `@master` ref
   Files: .github/workflows/snyk-security.yml:19, .github/workflows/snyk-security.yml:32

   The `snyk/actions/gradle-jdk8@master` reference (lines 19 and 32) tracks a mutable branch. A compromised or force-pushed upstream `master` could inject arbitrary code into the workflow with access to the `SNYK_TOKEN` secret and `security-events: write` permission. Pin to a specific commit SHA (or at minimum a release tag) to prevent supply-chain attacks.
   
   The `actions/checkout@v4` and other actions already use tags; Snyk should follow the same pattern.

   Fix (Pin the Snyk action to a specific commit SHA (look up the latest release SHA from https://github.com/snyk/actions/releases and substitute it).):
   - uses: snyk/actions/gradle-jdk8@<full-commit-sha>  # tag: vX.Y.Z

2. ⚠️ Edge Case: SARIF upload fails if snyk step is skipped on push
   Files: .github/workflows/snyk-security.yml:17-31

   On a `push` event the Snyk scan step (line 17-28) is skipped due to `if: github.event_name == 'pull_request'`, so `snyk.sarif` is never created. The upload step (line 25-28) also has the same `if` guard, so today it won't run — but if that guard is ever removed or if a future step references the file, the job would fail. More importantly, on `push` the `snyk monitor` step (line 30) runs but produces no SARIF, so code-scanning results for the default branch are never uploaded to the Security tab. Consider running both `snyk test --sarif-file-output` and `snyk monitor` on push events (or uploading on push as well) so that the Security tab reflects the default-branch state.

   Fix (Run the scan + SARIF upload unconditionally (on both push and PR) so the Security tab is populated for the default branch too, and keep `monitor` only on push.):
   - name: Run Snyk to check for vulnerabilities
     uses: snyk/actions/gradle-jdk8@<pinned-sha>
     continue-on-error: true
     env:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
     with:
       args: --severity-threshold=high --sarif-file-output=snyk.sarif
   - name: Upload result to GitHub Code Scanning
     uses: github/codeql-action/upload-sarif@v3
     with:
       sarif_file: snyk.sarif
   - name: Monitor on default branch
     if: github.event_name == 'push'
     uses: snyk/actions/gradle-jdk8@<pinned-sha>
     env:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
     with:
       command: monitor

Rules ❌ No requirements met

Repository Rules

❌ PR Description Quality Standards: The PR description is missing required template sections: [Which sample(s) or area?], [Potential risks], [Release notes], [Documentation Changes].

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[gitar-bot]

⚠️ Security: Snyk action pinned to mutable @master ref

The snyk/actions/gradle-jdk8@master reference (lines 19 and 32) tracks a mutable branch. A compromised or force-pushed upstream master could inject arbitrary code into the workflow with access to the SNYK_TOKEN secret and security-events: write permission. Pin to a specific commit SHA (or at minimum a release tag) to prevent supply-chain attacks.

The actions/checkout@v4 and other actions already use tags; Snyk should follow the same pattern.

Pin the Snyk action to a specific commit SHA (look up the latest release SHA from https://github.com/snyk/actions/releases and substitute it).:

- uses: snyk/actions/gradle-jdk8@<full-commit-sha>  # tag: vX.Y.Z

_{Was this helpful? React with 👍 / 👎}

[gitar-bot]

⚠️ Edge Case: SARIF upload fails if snyk step is skipped on push

On a push event the Snyk scan step (line 17-28) is skipped due to if: github.event_name == 'pull_request', so snyk.sarif is never created. The upload step (line 25-28) also has the same if guard, so today it won't run — but if that guard is ever removed or if a future step references the file, the job would fail. More importantly, on push the snyk monitor step (line 30) runs but produces no SARIF, so code-scanning results for the default branch are never uploaded to the Security tab. Consider running both snyk test --sarif-file-output and snyk monitor on push events (or uploading on push as well) so that the Security tab reflects the default-branch state.

Run the scan + SARIF upload unconditionally (on both push and PR) so the Security tab is populated for the default branch too, and keep monitor only on push.:

- name: Run Snyk to check for vulnerabilities
  uses: snyk/actions/gradle-jdk8@<pinned-sha>
  continue-on-error: true
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    args: --severity-threshold=high --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: snyk.sarif
- name: Monitor on default branch
  if: github.event_name == 'push'
  uses: snyk/actions/gradle-jdk8@<pinned-sha>
  env:
    SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
  with:
    command: monitor

_{Was this helpful? React with 👍 / 👎}

[c-warren]

Closing in favour of Snyk's native GitHub integration