Snyk Software Composition Analysis Scan workflow (cypress-io/cypress)
The Snyk Software Composition Analysis Scan workflow from cypress-io/cypress, explained and optimized by Latchkey.
CI health: C - fair
Point runs-on at Latchkey and get run de-duplication, job timeouts, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Snyk Software Composition Analysis Scan workflow from the cypress-io/cypress repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Snyk Software Composition Analysis Scan
# This git workflow leverages Snyk actions to perform a Software Composition
# Analysis scan on our Opensource libraries upon Pull Requests to the
# "develop" branch. We use this as a control to prevent vulnerable packages
# from being introduced into the codebase.
# Enhancements were made to this action to build the yarn packages to reduce
# Snyk scan errors that were complaining about the yarn.locks etc. Also
# implemented PAT token for actions to resolve an issue with the action not
# running and reporting back to the PR status checks
on:
pull_request:
branches:
- develop
- release/*
pull_request_target:
branches:
- develop
- release/*
permissions:
contents: read
jobs:
Snyk_SCA_Scan:
runs-on: ubuntu-latest
# Route each PR to exactly one event: internal -> pull_request, fork -> pull_request_target.
if: |
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
(github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository)
environment: ${{ github.event_name == 'pull_request_target' && 'fork-pr-review' || '' }}
strategy:
matrix:
node-version: [22.x]
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
with:
node-version: 22
# Cache only on pull_request (internal PRs) - pull_request_target writes scope to the base branch and could be poisoned by an approved fork PR.
cache: ${{ github.event_name == 'pull_request' && 'yarn' || '' }}
- name: Run yarn
run: yarn
- name: Run build
run: yarn build
- name: Installing snyk-delta and dependencies
run: npm i -g snyk-delta
- uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1
- name: Perform SCA Scan
continue-on-error: false
run: |
snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=.nx,system-tests,tooling,docker,Dockerfile --severity-threshold=critical --org=cypress-opensource
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_API: https://api.snyk.io
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Snyk Software Composition Analysis Scan # This git workflow leverages Snyk actions to perform a Software Composition # Analysis scan on our Opensource libraries upon Pull Requests to the # "develop" branch. We use this as a control to prevent vulnerable packages # from being introduced into the codebase. # Enhancements were made to this action to build the yarn packages to reduce # Snyk scan errors that were complaining about the yarn.locks etc. Also # implemented PAT token for actions to resolve an issue with the action not # running and reporting back to the PR status checks on: pull_request: branches: - develop - release/* pull_request_target: branches: - develop - release/* permissions: contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: Snyk_SCA_Scan: timeout-minutes: 30 runs-on: latchkey-small # Route each PR to exactly one event: internal -> pull_request, fork -> pull_request_target. if: | (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) environment: ${{ github.event_name == 'pull_request_target' && 'fork-pr-review' || '' }} strategy: matrix: node-version: [22.x] steps: - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 persist-credentials: false - name: Set up Node.js uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5 with: node-version: 22 # Cache only on pull_request (internal PRs) - pull_request_target writes scope to the base branch and could be poisoned by an approved fork PR. cache: ${{ github.event_name == 'pull_request' && 'yarn' || '' }} - name: Run yarn run: yarn - name: Run build run: yarn build - name: Installing snyk-delta and dependencies run: npm i -g snyk-delta - uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1 - name: Perform SCA Scan continue-on-error: false run: | snyk test --all-projects --strict-out-of-sync=false --detection-depth=6 --exclude=.nx,system-tests,tooling,docker,Dockerfile --severity-threshold=critical --org=cypress-opensource env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} SNYK_API: https://api.snyk.io
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Cancel superseded runs when a branch or PR gets a newer push.
- Add a job timeout so a hung step cannot burn hours of runner time.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- End-to-end and browser tests
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.