Skip to content
Latchkey

Snyk Software Composition Analysis Scan workflow (cypress-io/cypress)

The Snyk Software Composition Analysis Scan workflow from cypress-io/cypress, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: cypress-io/cypress.github/workflows/snyk_sca_scan.yamlLicense MITView source

What it does

This is the Snyk Software Composition Analysis Scan workflow from the cypress-io/cypress repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Snyk Software Composition Analysis Scan
# This git workflow leverages Snyk actions to perform a Software Composition
# Analysis scan on our Opensource libraries upon Pull Requests to the
# "develop" branch. We use this as a control to prevent vulnerable packages
# from being introduced into the codebase.
# Enhancements were made to this action to build the yarn packages to reduce
# Snyk scan errors that were complaining about the yarn.locks etc.  Also
# implemented PAT token for actions to resolve an issue with the action not
# running and reporting back to the PR status checks
on:
  pull_request:
    branches:
      - develop
      - release/*
  pull_request_target:
    branches:
      - develop
      - release/*
permissions:
  contents: read
jobs:
  Snyk_SCA_Scan:
    runs-on: ubuntu-latest
    # Route each PR to exactly one event: internal -> pull_request, fork -> pull_request_target.
    if: |
      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
    environment: ${{ github.event_name == 'pull_request_target' && 'fork-pr-review' || '' }}
    strategy:
      matrix:
        node-version: [22.x]
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          persist-credentials: false
      - name: Set up Node.js
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
        with:
          node-version: 22
          # Cache only on pull_request (internal PRs) - pull_request_target writes scope to the base branch and could be poisoned by an approved fork PR.
          cache: ${{ github.event_name == 'pull_request' && 'yarn' || '' }}
      - name: Run yarn
        run: yarn
      - name: Run build
        run: yarn build
      - name: Installing snyk-delta and dependencies
        run: npm i -g snyk-delta
      - uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1
      - name: Perform SCA Scan
        continue-on-error: false
        run: |
          snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=.nx,system-tests,tooling,docker,Dockerfile --severity-threshold=critical --org=cypress-opensource
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          SNYK_API: https://api.snyk.io

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Snyk Software Composition Analysis Scan
# This git workflow leverages Snyk actions to perform a Software Composition
# Analysis scan on our Opensource libraries upon Pull Requests to the
# "develop" branch. We use this as a control to prevent vulnerable packages
# from being introduced into the codebase.
# Enhancements were made to this action to build the yarn packages to reduce
# Snyk scan errors that were complaining about the yarn.locks etc.  Also
# implemented PAT token for actions to resolve an issue with the action not
# running and reporting back to the PR status checks
on:
  pull_request:
    branches:
      - develop
      - release/*
  pull_request_target:
    branches:
      - develop
      - release/*
permissions:
  contents: read
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  Snyk_SCA_Scan:
    timeout-minutes: 30
    runs-on: latchkey-small
    # Route each PR to exactly one event: internal -> pull_request, fork -> pull_request_target.
    if: |
      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
      (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
    environment: ${{ github.event_name == 'pull_request_target' && 'fork-pr-review' || '' }}
    strategy:
      matrix:
        node-version: [22.x]
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
          persist-credentials: false
      - name: Set up Node.js
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
        with:
          node-version: 22
          # Cache only on pull_request (internal PRs) - pull_request_target writes scope to the base branch and could be poisoned by an approved fork PR.
          cache: ${{ github.event_name == 'pull_request' && 'yarn' || '' }}
      - name: Run yarn
        run: yarn
      - name: Run build
        run: yarn build
      - name: Installing snyk-delta and dependencies
        run: npm i -g snyk-delta
      - uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1
      - name: Perform SCA Scan
        continue-on-error: false
        run: |
          snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=.nx,system-tests,tooling,docker,Dockerfile --severity-threshold=critical --org=cypress-opensource
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          SNYK_API: https://api.snyk.io
 

What changed

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow