.github/workflows/snyk.yml

# This workflow runs Snyk Monitor on every push to main.
name: Snyk

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      # required for all workflows
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Update Snyk UI with current vulnerabilities
        uses: snyk/actions/scala@0.4.0
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor
          args: --org=the-guardian-cuu --project-name=${{ github.repository }}

      - name: Update Github Code Scanning file with current vulnerabilities
        uses: snyk/actions/scala@0.4.0
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif