ci: fix snyk security scans in bake_targets.yml (#329)

Closes #327

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>

.github/workflows/bake.yml

@@ -51,6 +51,8 @@ jobs:
     with:
       environment: ${{ github.event.inputs.environment }}
       postgresql_version: ${{ matrix.version }}
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   Catalogs:
     name: Update Catalogs

.github/workflows/bake_targets.yml

@@ -29,6 +29,9 @@ on:
           `source` directory.
         required: false
         type: string
+    secrets:
+      SNYK_TOKEN:
+        required: false
 
 permissions: {}
 
@@ -158,6 +161,10 @@ jobs:
 
       - name: Snyk
         uses: snyk/actions/docker@master
+        id: snyk
+        if: ${{ env.SNYK_TOKEN != '' }}
+        # Snyk can be used to break the build when it detects vulnerabilities.
+        # In this case we want to upload the issues to GitHub Code Scanning.
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -165,9 +172,15 @@ jobs:
           image: "${{ matrix.image }}"
           args: --severity-threshold=high --file=Dockerfile
 
+      - name: Replace sarif security-severity invalid values
+        if: ${{ steps.snyk.conclusion == 'success' }}
+        run: |
+          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
-        continue-on-error: true
+        if: ${{ steps.snyk.conclusion == 'success' }}
         with:
           sarif_file: snyk.sarif