From f7e28cab0ea05985d087096c837f96abc687be32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niccol=C3=B2=20Fei?= <niccolo.fei@enterprisedb.com>
Date: Fri, 26 Sep 2025 15:49:06 +0200
Subject: [PATCH] ci: fix snyk security scans in bake_targets.yml (#329)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #327

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
---
 .github/workflows/bake.yml         |  2 ++
 .github/workflows/bake_targets.yml | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index 68d15ad8..47d0032d 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -51,6 +51,8 @@ jobs:
     with:
       environment: ${{ github.event.inputs.environment }}
       postgresql_version: ${{ matrix.version }}
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   Catalogs:
     name: Update Catalogs
diff --git a/.github/workflows/bake_targets.yml b/.github/workflows/bake_targets.yml
index 8ab4a9f1..239c466a 100644
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -29,6 +29,9 @@ on:
           `source` directory.
         required: false
         type: string
+    secrets:
+      SNYK_TOKEN:
+        required: false
 
 permissions: {}
 
@@ -158,6 +161,10 @@ jobs:
 
       - name: Snyk
         uses: snyk/actions/docker@master
+        id: snyk
+        if: ${{ env.SNYK_TOKEN != '' }}
+        # Snyk can be used to break the build when it detects vulnerabilities.
+        # In this case we want to upload the issues to GitHub Code Scanning.
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -165,9 +172,15 @@ jobs:
           image: "${{ matrix.image }}"
           args: --severity-threshold=high --file=Dockerfile
 
+      - name: Replace sarif security-severity invalid values
+        if: ${{ steps.snyk.conclusion == 'success' }}
+        run: |
+          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
-        continue-on-error: true
+        if: ${{ steps.snyk.conclusion == 'success' }}
         with:
           sarif_file: snyk.sarif