.github/workflows/snyk-security.yml

name: Run Snyk Scan -- Go
on: push
jobs:
  snyk-scan-python:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Authenticate to Google Cloud for accessing Snyk token
        uses: "google-github-actions/auth@v2"
        with:
          workload_identity_provider: "projects/747834912006/locations/global/workloadIdentityPools/epidemicsound/providers/github"
          service_account: "sast-dast-sa@es-platform-staging-fc6c.iam.gserviceaccount.com"

      - id: "secrets"
        name: Access Snyk secret token
        uses: "google-github-actions/get-secretmanager-secrets@v2"
        with:
          secrets: |-
            token:es-platform-staging-fc6c/snyk-token-secret
            
      - name: Setup Snyk
        uses: snyk/actions/setup@master

      - name: Add Snyk scan results to Snyk dashboard
        run: snyk monitor -d --all-projects
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ steps.secrets.outputs.token }}

      - name: Run Snyk to check for vulnerabilities
        run: snyk test --severity-threshold=critical -d --all-projects
        env:
          SNYK_TOKEN: ${{ steps.secrets.outputs.token }}