🐛 Fix Snyk configuration

.github/workflows/snyk-security.yml

@@ -35,45 +35,16 @@ jobs:
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up Snyk CLI to check for security issues
-        # Snyk can be used to break the build when it detects security issues.
-        # In this case we want to upload the SAST issues to GitHub Code Scanning
-        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
-
-        # For Snyk Open Source you must first set up the development environment for your application's dependencies
-        # For example for Node
-        #- uses: actions/setup-node@v3
-        #  with:
-        #    node-version: 16
+      - uses: actions/checkout@master
 
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle@master
+        continue-on-error: true # To make sure that SARIF upload gets called
         env:
-          # This is where you will need to introduce the Snyk API token created with your Snyk account
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
-        # Use || true to not fail the pipeline
-      - name: Snyk Code test
-        run: snyk code test --sarif > snyk-code.sarif # || true
-
-        # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
-      - name: Snyk Open Source monitor
-        run: snyk monitor --all-projects
-
-        # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
-        # Use || true to not fail the pipeline.
-      - name: Snyk IaC test and report
-        run: snyk iac test --report # || true
-
-        # Build the docker image for testing
-      - name: Build a Docker image
-        run: docker build -t your/image-to-test .
-        # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
-      - name: Snyk Container monitor
-        run: snyk container monitor your/image-to-test --file=Dockerfile
-
-        # Push the Snyk Code results into GitHub Code Scanning tab
+        with:
+          args: --sarif-file-output=snyk.sarif
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: snyk-code.sarif
+          sarif_file: snyk.sarif

README.md

@@ -74,6 +74,10 @@ Linter ([Checkstyle](https://checkstyle.org/), [PMD](https://docs.pmd-code.org/l
 El objetivo de este proyecto es validar nuevas herramientas, superposiciones de 
 funcionalidad y aplicabilidad
 
+Este proyecto también utiliza otros mecanismos de validación de seguridad y 
+vulnerabilidad, como [Dependabot](https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide) 
+y [otros](https://github.com/arthurmfnsc/api-first/security).
+
 En el futuro, el repositorio puede sufrir cambios no necesariamente relacionados con la 
 parte de seguridad, pero la pipeline de CI/CD y el contexto de seguridad permanecerán. 
 Debido a que agregaste varias GithubActions en confirmaciones futuras, es posible que 
@@ -89,6 +93,6 @@ El proyecto usa otra [configuración de seguridad de GitHub](https://github.com/
   [snyk containers](https://snyk.io/pt-BR/product/container-vulnerability-management/) y otros
 - [ ] Configurar plugin Cotrast Community: Problema con la ruta serif
 - [x] Configurar plugin PMD: Problema con propriedad browser_download_url
-- [ ] Configurar plugin Snyk Security: Problema con serif
+- [x] Configurar plugin Snyk Security: Problema con serif
 - [x] Configurar plugin SonarCloud: Añadir variables secreta SONAR_TOKEN
 - [ ] Configurar plugin SOOS: Añadir variables secreta