From 0c72f3277cc0a1d559e3af5b0b13b862b8c3046a Mon Sep 17 00:00:00 2001
From: Hector Machin <hector@element84.com>
Date: Tue, 19 Sep 2023 14:30:20 -0400
Subject: [PATCH 1/4] Adding daily scan github actions frequency, removed
 previously ignored postgres15 vuln

---
 .github/workflows/snyk-scan.yml | 19 +++++++++----------
 .snyk                           |  6 ++++++
 2 files changed, 15 insertions(+), 10 deletions(-)
 create mode 100644 .snyk

diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
index cf8a0ba..943aecd 100644
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@@ -7,6 +7,8 @@ on:
     branches: ["main" ]
   pull_request:
     branches: ["main"]
+  schedule: # Run snyk scan daily at midnight
+    - cron: '0 0 * * *'
 
 permissions:
   contents: read
@@ -23,21 +25,18 @@ jobs:
 
       - name: Snyk Python report vulnerabilities
         uses: snyk/actions/python@master
-        continue-on-error: true # To make sure that SARIF upload gets called
+        if: success() || failure()
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --sarif-file-output=snyk.sarif
+          args:
+            --sarif-file-output=snyk.sarif
+            --policy-path=.snyk
+            --severity-threshold=high # Forces fail on high-severity vulnerabilities
 
         # Push the Snyk Code results into GitHub Code Scanning tab
-      - name: Upload result to GitHub Code Scanning
+      - name: Upload python scan result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
+        if: success() || failure()
         with:
           sarif_file: snyk.sarif
-
-      - name: Snyk Python gatekeeper
-        uses: snyk/actions/python@master
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --severity-threshold=critical # Forces fail on critical-severity vulnerabilities
diff --git a/.snyk b/.snyk
new file mode 100644
index 0000000..f2a3480
--- /dev/null
+++ b/.snyk
@@ -0,0 +1,6 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.22.1
+
+ignore: {}
+
+patch: {}

From 7546cb829a1280d8c667532f58d4b04efe15ec7a Mon Sep 17 00:00:00 2001
From: Hector Machin <hector@element84.com>
Date: Tue, 19 Sep 2023 14:40:33 -0400
Subject: [PATCH 2/4] Gatekeeping on HIGH vulnerabilities

---
 .github/workflows/snyk-scan.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
index 943aecd..fddb0a8 100644
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@@ -25,7 +25,6 @@ jobs:
 
       - name: Snyk Python report vulnerabilities
         uses: snyk/actions/python@master
-        if: success() || failure()
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:

From 0a689d1e7a678c6902242e510850bb8ac1cd99ea Mon Sep 17 00:00:00 2001
From: Hector Machin <hector@element84.com>
Date: Tue, 19 Sep 2023 14:46:23 -0400
Subject: [PATCH 3/4] Gatekeeping on HIGH vulnerabilities

---
 .github/workflows/snyk-scan.yml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
index fddb0a8..099e575 100644
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@@ -25,6 +25,7 @@ jobs:
 
       - name: Snyk Python report vulnerabilities
         uses: snyk/actions/python@master
+        continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
@@ -34,8 +35,17 @@ jobs:
             --severity-threshold=high # Forces fail on high-severity vulnerabilities
 
         # Push the Snyk Code results into GitHub Code Scanning tab
-      - name: Upload python scan result to GitHub Code Scanning
+      - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
-        if: success() || failure()
         with:
           sarif_file: snyk.sarif
+
+      - name: Snyk Python gatekeeper
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args:
+            --sarif-file-output=snyk.sarif
+            --policy-path=.snyk
+            --severity-threshold=high # Forces fail on high-severity vulnerabilities

From 367d0b3e84081b7498ea6ab63e21c41852936510 Mon Sep 17 00:00:00 2001
From: Hector Machin <hector@element84.com>
Date: Tue, 19 Sep 2023 14:49:29 -0400
Subject: [PATCH 4/4] Gatekeeping on HIGH vulnerabilities

---
 .github/workflows/snyk-scan.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
index 099e575..9351c43 100644
--- a/.github/workflows/snyk-scan.yml
+++ b/.github/workflows/snyk-scan.yml
@@ -29,10 +29,7 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args:
-            --sarif-file-output=snyk.sarif
-            --policy-path=.snyk
-            --severity-threshold=high # Forces fail on high-severity vulnerabilities
+          args: --sarif-file-output=snyk.sarif
 
         # Push the Snyk Code results into GitHub Code Scanning tab
       - name: Upload result to GitHub Code Scanning