Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
982c359
Add new line to .gitignore
philvarner-snyk Nov 19, 2025
8e9fed7
Add Snyk security scanning workflow
philvarner-snyk Nov 21, 2025
fde3a53
Merge branch 'main' of github.com:Snyk-Integration-App/nodejs-goof
philvarner-snyk Nov 21, 2025
4a75215
test new dockerfile and new github action
philvarner-snyk Nov 21, 2025
7af360b
comment out
philvarner-snyk Nov 21, 2025
5151dd5
remove old ymls
philvarner-snyk Nov 21, 2025
b226044
Update upload-artifact to v4 to fix deprecation warning
philvarner-snyk Nov 21, 2025
0dab142
test
philvarner-snyk Nov 21, 2025
ecd0183
Fix Snyk scan configuration to properly separate Node.js and Docker s…
philvarner-snyk Nov 21, 2025
c5c9cb0
Update workflow to continue on Node.js scan error for Docker scan
philvarner-snyk Nov 21, 2025
546be01
Add Snyk Code scan to workflow
philvarner-snyk Nov 21, 2025
fbbfb71
Add Snyk Code scan to workflow
philvarner-snyk Nov 21, 2025
04a42fb
Add Snyk Code scan to workflow
philvarner-snyk Nov 21, 2025
a214f6b
new code with vulnerability
philvarner-snyk Nov 21, 2025
cb2e5f3
Add Snyk Code scan to workflow
philvarner-snyk Nov 21, 2025
9f57790
feat: make all Snyk scans continue on error for complete results
philvarner-snyk Nov 21, 2025
0e8c078
Merge branch 'main' into new-endpoint
philvarner-snyk Nov 21, 2025
0cdd6e8
test new commit
philvarner-snyk Nov 21, 2025
3d71cca
no longer run the pipeline on pull_request
philvarner-snyk Nov 21, 2025
0a45b30
add terraform file with misconfigurations
philvarner-snyk Nov 21, 2025
47d50ce
Merge branch 'main' into new-endpoint
philvarner-snyk Nov 21, 2025
ce28686
update iac test
philvarner-snyk Nov 21, 2025
6852d21
brand new routes
philvarner-snyk Dec 9, 2025
0c44e56
add monitor to scans, remove vulnerable route call
philvarner-snyk Dec 10, 2025
9f0845d
Merge branch 'main' into new-endpoint
philvarner-snyk Dec 10, 2025
540ebd6
Merge pull request #6 from varner-tech/new-endpoint
philvarner-snyk Dec 10, 2025
3d20f00
test a new endpoint
philvarner-snyk Dec 10, 2025
216e4bc
fix bug
philvarner-snyk Dec 11, 2025
3a7015e
fix org
philvarner-snyk Dec 11, 2025
d53c832
Merge pull request #9 from varner-tech/new-endpoint
philvarner-snyk Dec 11, 2025
ca21ce5
project name
philvarner-snyk Dec 11, 2025
f1ff2ae
Merge pull request #10 from varner-tech/new-endpoint
philvarner-snyk Dec 11, 2025
8e3ff66
add file hops for vulnerability
philvarner-snyk Dec 11, 2025
e43d8af
update pipeline
philvarner-snyk Dec 11, 2025
9de2a45
test new function path for vulnerability
philvarner-snyk Dec 11, 2025
0fde06f
comment out
philvarner-snyk Dec 11, 2025
8198707
Merge pull request #11 from varner-tech/new-endpoint
philvarner-snyk Dec 11, 2025
1b960be
test
philvarner-snyk Dec 11, 2025
869e261
Merge pull request #12 from varner-tech/new-endpoint
philvarner-snyk Dec 11, 2025
61bbb95
test new name and target for yml
philvarner-snyk Dec 11, 2025
c82c151
Merge pull request #13 from varner-tech/new-endpoint
philvarner-snyk Dec 11, 2025
556cf1f
update yml
philvarner-snyk Dec 11, 2025
7f36c89
fix args error
philvarner-snyk Dec 11, 2025
98e6e7b
Test new scan
philvarner-snyk Dec 11, 2025
7d9eb23
new container scan
philvarner-snyk Dec 11, 2025
4c2cd80
go time --report only
philvarner-snyk Dec 11, 2025
abf907f
only run iac
philvarner-snyk Dec 11, 2025
5150064
add project name
philvarner-snyk Dec 11, 2025
694e56d
target name
philvarner-snyk Dec 11, 2025
601bac1
test iac with url target
philvarner-snyk Dec 11, 2025
5a8d32a
test
philvarner-snyk Dec 11, 2025
70e254f
restore full yml for gh actions
philvarner-snyk Dec 11, 2025
81bc269
simplify yml
philvarner-snyk Dec 11, 2025
ced38a8
remove SCA and SAST
philvarner-snyk Dec 11, 2025
0b76cf2
rename action
philvarner-snyk Dec 11, 2025
f49c80f
add back the bad endpoint
philvarner-snyk Dec 11, 2025
2f7cf56
comment out the function
philvarner-snyk Dec 12, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 0 additions & 71 deletions .github/workflows/codeql-analysis.yml

This file was deleted.

16 changes: 0 additions & 16 deletions .github/workflows/snyk-code-manual.yml

This file was deleted.

17 changes: 0 additions & 17 deletions .github/workflows/snyk-code.yml

This file was deleted.

49 changes: 49 additions & 0 deletions .github/workflows/snyk-security-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Snyk Security Scan

on:
push:
branches: [ main, master ]
# pull_request:
# branches: [ main, master ]
workflow_dispatch:

jobs:
security-scan:
name: Snyk IaC and Container Scans
runs-on: ubuntu-latest
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_CFG_ORG: varner-tech-engineering

steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Install Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.0

- name: Install Snyk CLI
run: npm install -g snyk

- name: Build Container Image
run: docker build -t nodejs-goof .

- name: Snyk Container Scan (test + monitor)
continue-on-error: true
run: |
snyk container test nodejs-goof --severity-threshold=high --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof || true
snyk container monitor nodejs-goof --file=Dockerfile --project-name=ga-container-full --target-reference=nodejs-goof-ga-target --target-name=nodejs-goof

- name: Snyk IaC Scan
continue-on-error: true
run: snyk iac test vulnerable.tf --report --target-name=nodejs-goof --target-reference=nodejs-goof-ga-target --remote-repo-url=https://github.com/varner-tech/nodejs-goof

- name: Upload Snyk results as artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: snyk-results
path: snyk*.json
if-no-files-found: ignore
17 changes: 0 additions & 17 deletions .github/workflows/snyk-test-sarif.yml

This file was deleted.

7 changes: 7 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,10 @@ npm-debug.log
.idea/
.dccache



# Snyk Security Extension - AI Rules (auto-generated)
.windsurf/rules/snyk_rules.md

# Snyk Security Extension - AI Rules (auto-generated)
.github/instructions/snyk_rules.instructions.md
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# FROM node:6-stretch
FROM node:18.13.0
# Using Node.js 14.18.1 which has known vulnerabilities
FROM node:14.18.1

RUN mkdir /usr/src/goof
RUN mkdir /tmp/extracted_files
Expand Down
4 changes: 2 additions & 2 deletions app.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ var cons = require('consolidate');
const hbs = require('hbs')

var app = express();
var routes = require('./routes');
var routes = require('./routes');;
var routesUsers = require('./routes/users.js')

// all environments
Expand All @@ -41,7 +41,7 @@ app.use(logger('dev'));
app.use(methodOverride());
app.use(session({
secret: 'keyboard cat',
name: 'connect.sid',
name: 'connect.sid ',
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Session cookie name contains trailing space

The session cookie name is set to 'connect.sid ' with a trailing space. This could cause session handling issues since cookie names with trailing whitespace may be handled inconsistently across browsers and servers, potentially breaking session persistence or causing authentication problems.

Fix in Cursor Fix in Web

cookie: { path: '/' }
}))
app.use(bodyParser.json());
Expand Down
Loading