Skip to content

ci: skip security scans gracefully when secrets are unavailable#19

Open
ivan-gudak wants to merge 1 commit into
mainfrom
ci/fix-failing-security-scan-workflows
Open

ci: skip security scans gracefully when secrets are unavailable#19
ivan-gudak wants to merge 1 commit into
mainfrom
ci/fix-failing-security-scan-workflows

Conversation

@ivan-gudak

Copy link
Copy Markdown
Collaborator

Summary

The Snyk and SonarCloud GitHub Actions workflows have been failing on every run. The root causes are authentication/configuration, not code:

  • Snyk hard-failed with 401 Unauthorized because no SNYK_TOKEN secret is configured. It has never passed.
  • SonarCloud failed on every push to main with Not authorized or project not found. The "passing" runs were Dependabot PRs that silently skip the scan (Dependabot PRs don't get repository secrets), producing misleading green checks.

Changes

  • snyk.yml: move SNYK_TOKEN to a job-level env and guard the scan with if: env.SNYK_TOKEN != '', plus a fallback Snyk Unavailable step. A missing token now skips the scan instead of hard-failing with a 401.
  • sonar.yml: add if: github.actor != 'dependabot[bot]' at the job level so Dependabot PRs show as skipped rather than a misleading green check. Pushes to main and normal contributor PRs still run the real scan.

⚠️ Required before merge — secrets to configure

These edits stop the misleading failures, but the scans will only actually run once the following repository secrets are set (Settings → Secrets and variables → Actions):

Secret Current status Action needed
SNYK_TOKEN Missing Add a Snyk auth token (snyk.io → Account settings → Auth Token). Until added, the Snyk scan is skipped (job stays green via the Snyk Unavailable step).
SONAR_TOKEN Present but unauthorized Regenerate a SonarCloud token with Execute Analysis permission for project dynatrace-oss_dtmgd in org dynatrace-oss, then update the secret. Until fixed, the SonarCloud scan on main keeps failing.

No GitHub Actions variables (vars) are required — only the two secrets above.

🤖 Generated with Claude Code

The Snyk and SonarCloud workflows were failing on every run for
auth/config reasons, not code:

- Snyk hard-failed with 401 Unauthorized because no SNYK_TOKEN secret
  is configured. Guard the scan on a job-level SNYK_TOKEN env so a
  missing token skips the scan (with a "Snyk Unavailable" notice)
  instead of failing the job.
- SonarCloud reported misleading green checks on Dependabot PRs (which
  cannot access repository secrets, so the scan was silently skipped),
  while pushes to main failed against an unauthorized token. Skip the
  job entirely for Dependabot so PR checks no longer masquerade as
  passing; pushes to main and normal PRs still run the real scan.

The scans themselves still require valid secrets to be configured
(see PR description).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dynatrace-cla-bot

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants