From f3c7fb82dbe66d5481f61e4bdac9f5050892164b Mon Sep 17 00:00:00 2001
From: Dmitry Sulman <dmitry.sulman@gmail.com>
Date: Mon, 19 May 2025 20:49:40 +0300
Subject: [PATCH 1/4] Create snyk-security.yml

Signed-off-by: Dmitry Sulman <dmitry.sulman@gmail.com>
---
 .github/workflows/snyk-security.yml | 46 +++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 .github/workflows/snyk-security.yml

diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
new file mode 100644
index 0000000..7e0d7ad
--- /dev/null
+++ b/.github/workflows/snyk-security.yml
@@ -0,0 +1,46 @@
+name: Snyk Security
+
+on:
+  push:
+    branches: ["main" ]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Snyk CLI to check for security issues
+        # Snyk can be used to break the build when it detects security issues.
+        # In this case we want to upload the SAST issues to GitHub Code Scanning
+        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
+
+        # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
+        # Use || true to not fail the pipeline
+      - name: Snyk test
+        run: snyk test --all-sub-projects --sarif > snyk-code.sarif # || true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk-code.sarif

From 29620c38d667ccd07ed97c57ffbe9e81146388a4 Mon Sep 17 00:00:00 2001
From: Dmitry Sulman <dmitry.sulman@gmail.com>
Date: Mon, 19 May 2025 21:07:11 +0300
Subject: [PATCH 2/4] Update snyk-security.yml

Signed-off-by: Dmitry Sulman <dmitry.sulman@gmail.com>
---
 .github/workflows/snyk-security.yml | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
index 7e0d7ad..b74cb0a 100644
--- a/.github/workflows/snyk-security.yml
+++ b/.github/workflows/snyk-security.yml
@@ -11,10 +11,6 @@ permissions:
 
 jobs:
   snyk:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -35,12 +31,6 @@ jobs:
         # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
         # Use || true to not fail the pipeline
       - name: Snyk test
-        run: snyk test --all-sub-projects --sarif > snyk-code.sarif # || true
+        run: snyk test --all-sub-projects # || true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-        # Push the Snyk Code results into GitHub Code Scanning tab
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: snyk-code.sarif

From 14d88e1344a8aedf2043eae9ec352518ce775b01 Mon Sep 17 00:00:00 2001
From: Dmitry Sulman <dmitry.sulman@gmail.com>
Date: Mon, 19 May 2025 21:34:35 +0300
Subject: [PATCH 3/4] Update snyk-security.yml

Signed-off-by: Dmitry Sulman <dmitry.sulman@gmail.com>
---
 .github/workflows/snyk-security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
index b74cb0a..5870457 100644
--- a/.github/workflows/snyk-security.yml
+++ b/.github/workflows/snyk-security.yml
@@ -31,6 +31,6 @@ jobs:
         # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
         # Use || true to not fail the pipeline
       - name: Snyk test
-        run: snyk test --all-sub-projects # || true
+        run: snyk test --all-sub-projects --configuration-matching=^runtimeClasspath$ # || true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

From b09b33d9a7ee014b82df950d1dca48fefa576f24 Mon Sep 17 00:00:00 2001
From: Dmitry Sulman <dmitry.sulman@gmail.com>
Date: Mon, 19 May 2025 21:55:45 +0300
Subject: [PATCH 4/4] Update snyk-security.yml

Signed-off-by: Dmitry Sulman <dmitry.sulman@gmail.com>
---
 .github/workflows/snyk-security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
index 5870457..cc00c74 100644
--- a/.github/workflows/snyk-security.yml
+++ b/.github/workflows/snyk-security.yml
@@ -1,4 +1,4 @@
-name: Snyk Security
+name: Snyk Dependencies Check
 
 on:
   push: