Fix SARIF file upload for weekly code scanning

pvannierop · pvannierop · commit 1ed4acec5af7 · 2025-09-03T08:12:15.000+02:00
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
@@ -3,32 +3,65 @@ name: Snyk scheduled code base scan
 on:
   schedule:
     - cron: '0 2 * * 1'
+
+env:
+  MODULES: >-
+    [{
+    'name': 'kafka-connect-fitbit-source',
+    'build_file': 'kafka-connect-fitbit-source/build.gradle.kts',
+    },{
+    'name': 'kafka-connect-oura-source',
+    'build_file': 'kafka-connect-oura-source/build.gradle.kts',
+    },{
+    'name': 'kafka-connect-rest-source',
+    'build_file': 'kafka-connect-rest-source/build.gradle.kts',
+    },{
+    'name': 'oura-library',
+    'build_file': 'oura-library/build.gradle',
+    }]
   workflow_dispatch:
 
 jobs:
+  prepare-matrix:
+    name: Prepare Matrix Output
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      modules: ${{ steps.step1.outputs.matrix }}
+    steps:
+      - name: Create Matrix Variable
+        id: step1
+        run: echo "matrix=${{env.MODULES}}" >> $GITHUB_OUTPUT
+
   security:
+    needs: prepare-matrix
     runs-on: ubuntu-latest
+    permissions: {}
+    strategy:
+      matrix:
+        module: ${{ fromJson(needs.prepare-matrix.outputs.modules ) }}
 
     steps:
       - uses: actions/checkout@v3
 
       - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/gradle-jdk17@master
+        uses: snyk/actions/gradle-8-jdk17@master
         continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           args: >-
-            --all-projects
+            --file=${{ matrix.module.build_file }}
             --configuration-matching='^runtimeClasspath$'
             --fail-on=upgradable
             --severity-threshold=high
             --policy-path=.snyk
             --org=radar-base
-            --sarif-file-output=snyk.sarif
+            --sarif-file-output=${{ matrix.module.module }}.sarif
 
       # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: snyk.sarif
+          sarif_file: ${{ matrix.module.module }}.sarif
+          category: ${{ matrix.module.module }}
