snyk-labs · philvarner-snyk · Nov 19, 2025 · Nov 21, 2025 · Nov 21, 2025 · Nov 21, 2025
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
diff --git a/.github/workflows/snyk-code-manual.yml b/.github/workflows/snyk-code-manual.yml
diff --git a/.github/workflows/snyk-code.yml b/.github/workflows/snyk-code.yml
diff --git a/.github/workflows/snyk-security-scan.yml b/.github/workflows/snyk-security-scan.yml
@@ -0,0 +1,49 @@
+name: Snyk Security Scan
+
+on:
+  push:
+    branches: [ main, master ]
+  # pull_request:
+  #   branches: [ main, master ]
+  workflow_dispatch:
+
+jobs:
+  security-scan:
+    name: Snyk IaC and Container Scans
+    runs-on: ubuntu-latest
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      SNYK_CFG_ORG: varner-tech-engineering
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.0
+
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+
+      - name: Build Container Image
+        run: docker build -t nodejs-goof .
+
+      - name: Snyk Container Scan (test + monitor)
+        continue-on-error: true
+        run: |
+          snyk container test nodejs-goof --severity-threshold=high --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof || true
+          snyk container monitor nodejs-goof --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof
+
+      - name: Snyk IaC Scan
+        continue-on-error: true
+        run: snyk iac test vulnerable.tf --report --target-name=nodejs-goof --target-reference=nodejs-goof-ga-target --remote-repo-url=https://github.com/varner-tech/nodejs-goof
+
+      - name: Upload Snyk results as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: snyk-results
+          path: snyk*.json
+          if-no-files-found: ignore
diff --git a/.github/workflows/snyk-test-sarif.yml b/.github/workflows/snyk-test-sarif.yml
diff --git a/.gitignore b/.gitignore
@@ -12,3 +12,10 @@ npm-debug.log
 .idea/
 .dccache
 
+
+
+# Snyk Security Extension - AI Rules (auto-generated)
+.windsurf/rules/snyk_rules.md
+
+# Snyk Security Extension - AI Rules (auto-generated)
+.github/instructions/snyk_rules.instructions.md
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
-# FROM node:6-stretch
-FROM node:18.13.0
+# Using Node.js 14.18.1 which has known vulnerabilities
+FROM node:14.18.1
 
 RUN mkdir /usr/src/goof
 RUN mkdir /tmp/extracted_files

diff --git a/app.js b/app.js
@@ -26,7 +26,7 @@ var cons = require('consolidate');
 const hbs = require('hbs')
 
 var app = express();
-var routes = require('./routes');
+var routes = require('./routes');;
 var routesUsers = require('./routes/users.js')
 
 // all environments
@@ -41,7 +41,7 @@ app.use(logger('dev'));
 app.use(methodOverride());
 app.use(session({
   secret: 'keyboard cat',
-  name: 'connect.sid',
+  name: 'connect.sid ',
   cookie: { path: '/' }
 }))
 app.use(bodyParser.json());