name: Snyk Static Analysis Scan
# This git workflow leverages Snyk actions to perform a Static Application
# Testing scan (SAST) on our first-party code upon Pull Requests to the
# "develop" branch. We use this as a control to prevent vulnerabilities
# from being introduced into the codebase.
on:
  pull_request:
    branches:
      - develop
      - release/*
jobs:
  Snyk_SAST_Scan:
    # Skip this job on PRs from forks
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          token: ${{ secrets.BOT_GITHUB_ACTION_TOKEN }}
      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: 'yarn'
      - name: Run yarn
        run: yarn
      - name: Run build
        run: yarn build
      - uses: snyk/actions/setup@master
      - name: Perform Static Analysis Test
        continue-on-error: true
        run: |
          snyk code test --yarn-workspaces --strict-out-of-sync=false --detection-depth=6 --exclude=docker,Dockerfile --severity-threshold=high
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      # The Following Requires Advanced Security License
      # - name: Upload results to Github Code Scanning
      #   uses: github/codeql-action/upload-sarif@v1
      #   with:
      #     sarif_file: snyk_sarif