Update Snyk GitHub action and restrict workflow permissions (#898)

reugn · web-flow · commit 01e2b5365419 · 2025-07-16T11:36:10.000+03:00
diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
@@ -7,6 +7,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   snyk-security:
     runs-on: ubuntu-latest
@@ -15,11 +19,12 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Snyk to check for vulnerabilities
-        uses: snyk/actions/maven@master
+        uses: snyk/actions/maven@cdb760004ba9ea4d525f2e043745dfe85bb9077e
         continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
+          snyk-version: v1.1297.3
           args: --all-projects --sarif-file-output=snyk.sarif
 
       - name: Check output file
