🔐 Enhance Snyk Integration with Pre-commit Hook & Centralized Scanning Workflow

[alanraju-aot]

User description

Issue Tracking

JIRA:https://aottech.atlassian.net/browse/OPS-20

Changes

🛠️ Created install-pre-push.bat script to automate setup of pre-push hooks.
⚙️ Integrated Snyk scan as a standalone GitHub Actions workflow for centralized security scanning.
🧹 Removed Snyk scan and SARIF report generation from individual component CD workflows to avoid duplication and streamline security reporting.

Notes

Checklist

• Updated changelog
• Added meaningful title for pull request

---

PR Type

Enhancement, Other

---

Description

• Add cross-platform Snyk pre-push hook

• Provide installer to configure hooks and auth

• Centralize Snyk scans in dedicated workflow

• Remove Snyk from component CD pipelines

---

Diagram Walkthrough

flowchart LR
  A["Local dev: pre-push hook"] -- "auth + scan + monitor" --> B["Snyk CLI"]
  C["install-prepush.bat"] -- "installs hook + configures .env" --> A
  D["Component CD workflows"] -- "remove embedded scans" --> E["Lean CD pipelines"]
  F["snyk-scan.yml"] -- "matrix scan web projects" --> B

Loading

File Walkthrough

	Relevant files
Enhancement	3 files install-prepush.bat Windows installer for Snyk-enabled pre-push hook                  +116/-0  pre-push Pre-push Snyk scan with auth and logging                                  +119/-0  snyk-scan.yml New centralized Snyk scan workflow for web packages            +55/-0
Documentation	1 files sample.env Sample env containing Snyk token variable                                +2/-0
Configuration changes	6 files forms-flow-bpm-cd.yml Remove Snyk scan and SARIF processing from CD                        +0/-43    forms-flow-data-analysis-api-cd.yml Remove Snyk image scan from CD workflow                                    +0/-8      forms-flow-data-layer-cd.yml Remove Snyk scanning and SARIF upload                                        +0/-13    forms-flow-documents-cd.yml Drop Snyk scan and SARIF upload steps                                        +0/-13    forms-flow-idm.yml Remove Snyk scan from Keycloak CD                                                +0/-14    forms-flow-web-cd.yml Remove ZAP scan and related AWS upload                                      +0/-57

---

[github-actions]

PR Reviewer Guide 🔍

(Review updated until commit 0d1c01c)

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 Security concerns Sensitive information exposure: The file .github/hooks/sample.env includes a hard-coded SNYK_TOKEN value. Even as a sample, it resembles a real token and could be treated as a leaked secret by scanners or mistakenly used. Replace with a placeholder like SNYK_TOKEN=<insert-token-here> and rotate any potentially exposed token. Privilege and path safety: The pre-push script writes to /usr/local/bin to install Snyk, which may require elevated privileges and could be abused if path is spoofed. Prefer user-scoped installation or instruct manual install. Token persistence: install-prepush.bat sets snyk config set api=<token>, persisting the token in the Snyk config. Ensure developers are aware; consider using snyk auth flow or storing secrets only in environment and not long-lived config files.

⚡ Recommended focus areas for review Sensitive Token The sample .env contains a realistic-looking Snyk token value. Even if intended as a placeholder, committing token-like strings can trigger secret scanners and risk accidental misuse. Replace with an obvious placeholder pattern and ensure repo scanners are satisfied. # Snyk Authentication Token SNYK_TOKEN=c0ed54ed-a982-4c06-aa6f-3ae5d10a0213 Privileged Install The hook attempts to install Snyk to /usr/local/bin, which requires sudo and will fail on many systems. Consider installing to a user-writable path or skipping auto-install with a clear message. if ! command -v snyk >/dev/null 2>&1; then echo "⬇️ Downloading Snyk CLI binary..." > /dev/tty if command -v curl >/dev/null 2>&1; then curl -sL https://static.snyk.io/cli/latest/snyk-linux -o /usr/local/bin/snyk elif command -v wget >/dev/null 2>&1; then wget -qO /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux else echo "❌ Neither curl nor wget is available. Please install Snyk manually." > /dev/tty return 1 fi chmod +x /usr/local/bin/snyk fi Env Handling The script renames sample.env to .env and copies it into .git/hooks, then uses the SNYK_TOKEN to configure the CLI by writing it into Snyk config. This may persist the secret on disk. Consider copying a template, prompting the user, or ensuring secrets are not stored in plaintext config. REM Rename sample.env to .env if .env doesn't already exist IF EXIST "%~dp0sample.env" ( IF NOT EXIST "%~dp0.env" ( REN "%~dp0sample.env" ".env" IF ERRORLEVEL 1 ( ECHO ❌ Failed to rename sample.env to .env. EXIT /B 1 ) ECHO ✅ sample.env renamed to .env successfully. ) ELSE ( ECHO ⚠️ .env already exists. Skipping rename. ) ) ELSE ( ECHO ❌ sample.env file not found in the script directory. EXIT /B 1 ) SET "HOOKS_DIR=%GIT_ROOT%\.git\hooks" SET "GH_HOOKS_LOG_DIR=%GIT_ROOT%\.github\hooks" REM Create .github/hooks directory if not exists IF NOT EXIST "%GH_HOOKS_LOG_DIR%" ( mkdir "%GH_HOOKS_LOG_DIR%" ) REM Copy pre-push hook COPY /Y "%~dp0pre-push" "%HOOKS_DIR%\pre-push" >NUL IF ERRORLEVEL 1 ( ECHO ❌ Failed to copy pre-push hook. EXIT /B 1 ) REM Set executable permission if using Git Bash or WSL IF EXIST "%HOOKS_DIR%\pre-push" ( bash -c "chmod +x '%HOOKS_DIR%/pre-push'" 2>NUL ) ECHO ✅ Pre-push hook installed. REM Copy .env file for hooks IF EXIST "%~dp0.env" ( COPY /Y "%~dp0.env" "%HOOKS_DIR%\.env" >NUL IF ERRORLEVEL 1 ( ECHO ❌ Failed to copy .env file. EXIT /B 1 ) ECHO ✅ .env file copied successfully. ) ELSE ( ECHO ❌ .env file not found in the script directory. EXIT /B 1 ) REM Load SNYK_TOKEN from .env SET "SNYK_TOKEN=" FOR /F "usebackq tokens=1,* delims==" %%A IN ("%~dp0.env") DO ( IF /I "%%A"=="SNYK_TOKEN" SET "SNYK_TOKEN=%%B" ) IF NOT DEFINED SNYK_TOKEN ( ECHO ❌ SNYK_TOKEN not set in .env file. EXIT /B 1 ) REM Check if Snyk CLI exists ECHO 🔍 Checking Snyk CLI... WHERE snyk >NUL 2>&1 IF %ERRORLEVEL% NEQ 0 ( ECHO ⚠️ Snyk CLI not found. Downloading Snyk for Windows... REM Check if curl exists WHERE curl >NUL 2>&1 IF %ERRORLEVEL% EQU 0 ( curl -s https://static.snyk.io/cli/latest/snyk-win.exe -o "%GIT_ROOT%\snyk.exe" ) ELSE ( powershell -Command "Invoke-WebRequest -Uri 'https://static.snyk.io/cli/latest/snyk-win.exe' -OutFile '%GIT_ROOT%\snyk.exe'" ) IF ERRORLEVEL 1 ( ECHO ❌ Failed to download Snyk CLI. EXIT /B 1 ) ECHO ✅ Snyk CLI downloaded successfully to %GIT_ROOT%\snyk.exe SET "SNYK_CMD=%GIT_ROOT%\snyk.exe" ) ELSE ( ECHO ✅ Snyk CLI already installed. SET "SNYK_CMD=snyk" ) REM Authenticate Snyk CLI ECHO 🔐 Authenticating Snyk CLI using token from .env... "%SNYK_CMD%" config set api=%SNYK_TOKEN% >NUL 2>&1 REM Confirm token is set correctly FOR /F "tokens=* USEBACKQ" %%T IN (`"%SNYK_CMD%" config get api 2^>NUL`) DO SET "CONFIGURED_TOKEN=%%T" IF "%CONFIGURED_TOKEN%"=="%SNYK_TOKEN%" ( ECHO ✅ Snyk CLI authenticated successfully! ECHO ✅ Git hooks installed successfully! EXIT /B 0 ) ELSE ( ECHO ❌ Authentication failed. Token not set correctly. EXIT /B 1

[github-actions]

PR Code Suggestions ✨

Latest suggestions up to 0d1c01c
Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Safely load .env variables Prevent word splitting and unsafe exports by sourcing key-value pairs safely. Handle values with spaces or special characters to avoid broken envs or unintended exports. .github/hooks/pre-push [11-13] -# Load environment variables from .env file +# Load environment variables from .env file safely if [ -f "$ENV_FILE" ]; then - export $(grep -v '^#' "$ENV_FILE" | xargs) + set -a + # shellcheck disable=SC1090 + . "$ENV_FILE" + set +a fi Suggestion importance[1-10]: 8 __ Why: Replaces unsafe export $(grep ... | xargs) with set -a; . "$ENV_FILE" to correctly handle spaces and special characters; this is a meaningful correctness and safety improvement.	Medium
	Sanitize parsed token value Trim surrounding quotes and whitespace when parsing SNYK_TOKEN to avoid auth failures from values like "token" or trailing CR/LF. Also stop on first match to prevent later lines overriding the token. .github/hooks/install-prepush.bat [65-69] -REM Load SNYK_TOKEN from .env +REM Load SNYK_TOKEN from .env (trim quotes/whitespace) SET "SNYK_TOKEN=" FOR /F "usebackq tokens=1,* delims==" %%A IN ("%~dp0.env") DO ( - IF /I "%%A"=="SNYK_TOKEN" SET "SNYK_TOKEN=%%B" + IF /I "%%A"=="SNYK_TOKEN" ( + SET "SNYK_TOKEN=%%B" + REM Remove surrounding quotes and spaces + FOR /F "tokens=* delims= " %%Q IN ("!SNYK_TOKEN!") DO SET "SNYK_TOKEN=%%~Q" + GOTO :AfterTokenLoad + ) ) +:AfterTokenLoad Suggestion importance[1-10]: 7 __ Why: Correctly identifies potential issues with quoted/whitespace-contaminated SNYK_TOKEN and multiple matches; proposed batch-safe trimming and early exit improve robustness without altering intent.	Medium
General	Append and timestamp scan logs Avoid clobbering previous logs by using append mode and add a timestamped header for each run. This preserves history across pushes and eases troubleshooting. .github/hooks/pre-push [86-92] run_snyk_test() { echo "🔍 Running Snyk vulnerability test..." > /dev/tty - if "$SNYK_CMD" test --all-projects --severity-threshold=high > "$LOG_FILE" 2>&1; then + { + echo "===== $(date -u +"%Y-%m-%dT%H:%M:%SZ") Snyk test start =====" + "$SNYK_CMD" test --all-projects --severity-threshold=high + echo "===== $(date -u +"%Y-%m-%dT%H:%M:%SZ") Snyk test end =====" + } >> "$LOG_FILE" 2>&1 + if grep -qi "Tested" "$LOG_FILE" && ! tail -n 50 "$LOG_FILE" | grep -qi "vulnerabilities \[0\]"; then + echo "🚨 Vulnerabilities found! Review log at: $LOG_FILE" > /dev/tty + else echo "✅ No high/critical vulnerabilities found." > /dev/tty - else - echo "🚨 Vulnerabilities found! Review log at: $LOG_FILE" > /dev/tty fi } Suggestion importance[1-10]: 6 __ Why: Appending with timestamps preserves history and aids troubleshooting, but the heuristic to detect vulnerabilities via log parsing may be brittle; impact is moderate and mostly about logging behavior.	Low

---

Previous suggestions

Suggestions up to commit 3f57f38

Category	Suggestion	Impact
General	Source env file robustly Using export $(…) can fail on empty or commented-only .env files and mishandle values with spaces. Instead, source the file with export enabled to correctly load all variables. This approach respects comments and whitespace. .github/hooks/pre-push [12] -export $(grep -v '^#' "$ENV_FILE" | xargs) +set -a +. "$ENV_FILE" +set +a Suggestion importance[1-10]: 6 __ Why: Sourcing with set -a/. ensures variables are loaded correctly even with spaces or comments and avoids edge-case failures of export $(…).	Low

[vinaayakh-aot]

can we replace the token with a generic placeholder like <your_token>

[alanraju-aot]

In that case we will need to hardcode the token? Is that you mentioned?

[sonarqubecloud]

Quality Gate failed

Failed conditions
2 Security Hotspots
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[github-actions]

Persistent review updated to latest commit 0d1c01c