From f383ae329f116b713fb30c76f9f3ee3d5890f327 Mon Sep 17 00:00:00 2001
From: cypresschris <96069059+cypresschris@users.noreply.github.com>
Date: Fri, 25 Aug 2023 16:34:59 -0500
Subject: [PATCH] chore: SEC-688 | updates to sca scan action (#27639)

* Chore: SEC-688 | updates to sca scan action

* Chore: SEC-688 | removed push event

* SEC-688 | Updates to SAST scan configs

* SEC-688 | Update SCA scan to include CLI

* chore: empty commit for semantic versioning

---------

Co-authored-by: Jennifer Shehane <jennifer@cypress.io>
---
 .github/workflows/snyk_sca_scan.yaml          | 21 +++++++++++++++----
 .../workflows/snyk_static_analysis_scan.yaml  | 15 ++++++++++++-
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/snyk_sca_scan.yaml b/.github/workflows/snyk_sca_scan.yaml
index 10315033adb5..f563cfe2961e 100644
--- a/.github/workflows/snyk_sca_scan.yaml
+++ b/.github/workflows/snyk_sca_scan.yaml
@@ -3,6 +3,10 @@ name: Snyk Software Composition Analysis Scan
 # Analysis scan on our Opensource libraries upon Pull Requests to the
 # "develop" branch. We use this as a control to prevent vulnerable packages 
 # from being introduced into the codebase. 
+# Enhancements were made to this action to build the yarn packages to reduce
+# Snyk scan errors that were complaining about the yarn.locks etc.  Also 
+# implemented PAT token for actions to resolve an issue with the action not
+# running and reporting back to the PR status checks
 on:
   pull_request:
     types: [opened, edited]
@@ -15,17 +19,26 @@ jobs:
       matrix:
         node-version: [16.x]
     steps:
-      - uses: actions/checkout@v3
-      - name: Setting up Node
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.BOT_GITHUB_ACTION_TOKEN }}
+      - name: Set up Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: 16
+          cache: 'yarn'
+      - name: Run yarn
+        run: yarn
+      - name: Run build
+        run: yarn build
       - name: Installing snyk-delta and dependencies
         run: npm i -g snyk-delta
       - uses: snyk/actions/setup@master
       - name: Perform SCA Scan
         continue-on-error: false
         run: |
-          snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,docker,Dockerfile --severity-threshold=critical
+          snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=system-tests,tooling,docker,Dockerfile --severity-threshold=critical
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/snyk_static_analysis_scan.yaml b/.github/workflows/snyk_static_analysis_scan.yaml
index d32553086d01..c7290d21d052 100644
--- a/.github/workflows/snyk_static_analysis_scan.yaml
+++ b/.github/workflows/snyk_static_analysis_scan.yaml
@@ -13,7 +13,20 @@ jobs:
   Snyk_SAST_Scan :
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.BOT_GITHUB_ACTION_TOKEN }}
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+          cache: 'yarn'
+      - name: Run yarn
+        run: yarn
+      - name: Run build
+        run: yarn build
       - uses: snyk/actions/setup@master
       - name: Perform Static Analysis Test
         continue-on-error: true