Add Snyk CI security scanning for #4998

[austinywang]

• Install the Snyk GitHub App at the manaflow-ai org and grant access to the cmux repo.
• Add SNYK_TOKEN repo or org secret.
• Verify the first post-merge run posts an inline annotation on a synthetic or real finding.

Summary

• Add a rollout-safe Snyk security workflow for pull requests and pushes to main.
• Upload Snyk Code and Snyk Open Source SARIF into GitHub code scanning with distinct categories.
• Add a root .snyk policy and docs/security.md for scanner scope, ignores, and fork behavior.

Scope notes

• Snyk Code scans cmux Swift sources at high severity and above.
• Snyk Open Source is scoped to npm SCA for web/package.json in this v1. Swift Package Manager dependencies are resolved through GhosttyTabs.xcodeproj/project.pbxproj / Xcode project metadata rather than a top-level Package.swift or Package.resolved, so SPM SCA needs a follow-up design before enabling.
• The workflow skips cleanly when SNYK_TOKEN is unavailable, covering fork PRs, Dependabot PRs, and the pre-secret rollout window.

Testing

• Not run locally per request. This CI/CD change is intended to validate through GitHub Actions.

Demo Video

N/A; CI/CD-only change.

Closes #4998

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

---

Note

Low Risk
CI and documentation only; no application runtime, auth, or data-path changes. Operational risk is limited to secret setup and interpreting new code-scanning alerts.

Overview
Introduces Snyk security CI on pull requests and pushes to main, gated so the job skips cleanly when SNYK_TOKEN is missing (forks, Dependabot, pre-rollout).

When the token is present, the workflow runs Snyk Code (high+ SAST, SARIF category snyk-code-swift) and Snyk Open Source against web/package.json after bun install --frozen-lockfile (npm SCA from node_modules, category snyk-open-source-web-npm). Scan steps use continue-on-error and warn if SARIF is absent; results upload via upload-sarif.

Adds root .snyk with broad Code excludes (v1 Swift-focused SAST) and docs/security.md describing scope, SARIF surfacing, fork behavior, and ignore policy.

^{Reviewed by Cursor Bugbot for commit 6c8acc1. Bugbot is set up for automated code reviews on this repo. Configure here.}

---

Summary by cubic

Adds rollout-safe Snyk CI scanning on PRs and main, uploading Snyk Code and Open Source SARIF to GitHub code scanning in separate categories. Snyk Code now runs before the web install; npm SCA runs after bun install --frozen-lockfile resolving from web/node_modules (not bun.lock), fulfilling #4998.

• New Features

  • Workflow runs on PRs and main; safe-skip when SNYK_TOKEN is missing.
  • Snyk Code scans Swift (high+); uploads as snyk-code-swift.
  • Snyk Open Source scans web/package.json (high+); uploads as snyk-open-source-web-npm.
  • Warns if SARIF is missing; uses continue-on-error so uploads still run.
  • Pinned action SHAs, hardened checkout; adds .snyk and docs/security.md.

• Migration

  • Install the Snyk GitHub App for manaflow-ai/cmux.
  • Add the SNYK_TOKEN secret, then merge to main to verify code scanning.

^{Written for commit 6c8acc1. Summary will update on new commits.}

Summary by CodeRabbit

• Chores

  • Integrated automated Snyk security scanning into CI. Scans run on pushes to main and on pull requests, flag high-severity issues in code and dependencies, upload SARIF results to security reporting, and are skipped when credentials aren’t available (e.g., forks).
  • Updated Snyk policy to a newer version to align with scanning behavior.

• Documentation

  • Added security docs describing the scanning setup, severity thresholds, SARIF uploads, fork/secret behavior, and guidance for managing temporary ignores.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cmux	Ready	Preview, Comment	May 29, 2026 10:59pm
cmux-staging	Building	Preview, Comment	May 29, 2026 10:59pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a token-gated GitHub Actions workflow that runs Snyk Code (SAST) and Snyk Open Source (SCA) on PRs and pushes to main, uploads SARIF results conditionally, updates .snyk policy version, and adds docs/security.md describing the setup.

Changes

Snyk CI Security Scanning

Layer / File(s)	Summary
Workflow declaration and token gating .github/workflows/security-snyk.yml	Defines workflow triggers (push to main, pull_request), permissions for SARIF publishing, concurrency with pull-request cancellation, environment detection of SNYK_TOKEN, and a conditional skip step when the token is unavailable.
Build environment setup .github/workflows/security-snyk.yml	Conditionally runs checkout (no persisted credentials), Bun setup, and web/ dependencies installation with bun install --frozen-lockfile when token is present.
Snyk Code SAST scanning .github/workflows/security-snyk.yml	Runs snyk code test . with --severity-threshold=high, writes snyk-code.sarif, uses continue-on-error: true, warns if SARIF is missing, and conditionally uploads SARIF via upload-sarif when the file exists.
Snyk Open Source SCA scanning .github/workflows/security-snyk.yml	Runs snyk test --file=web/package.json with --severity-threshold=high, writes snyk-oss.sarif, uses continue-on-error: true, warns if SARIF is missing, and conditionally uploads SARIF via upload-sarif when the file exists.
Policy configuration and documentation .snyk, docs/security.md	Updates .snyk to version: v1.25.0; adds docs/security.md describing scanning scopes, SARIF reporting, fork-PR skip behavior when SNYK_TOKEN is missing, and guidance for .snyk ignores with expiry and reasons.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hop through CI with careful paws,
I sniff for bugs and scan the laws;
SARIF carrots clutched so near,
Secrets safe, the path is clear.
A tiny rabbit keeps the code sincere.

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 inconclusive)

Check name	Status	Explanation	Resolution
Cmux User-Facing Error Privacy	❌ Error	Lines 55, 89 expose vendor names "Snyk Code", "Snyk Open Source" in ::warning:: alerts visible in CI logs, violating the user-facing error privacy policy.	Replace vendor product names with generic terms like "code scanning" and "dependency scanning" in the warning messages.
Description check	❓ Inconclusive	PR description is comprehensive but lacks required sections. Missing 'Testing' details (author states 'not run locally'), no demo video link, and incomplete checklist items.	Clarify testing methodology for CI/CD change validation and explicitly check off checklist items, particularly 'I tested the change locally' or provide justification for why CI/CD testing suffices.

✅ Passed checks (16 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add Snyk CI security scanning for #4998' directly references the linked issue and clearly describes the main change: adding Snyk security scanning to the CI pipeline.
Linked Issues check	✅ Passed	The PR fully implements all acceptance criteria from #4998: adds security-snyk.yml workflow running on PRs and main, runs Snyk Code and Open Source with high severity threshold and SARIF output, uploads via github/codeql-action, forks safely via SNYK_TOKEN check, includes .snyk policy and docs/security.md, and uses continue-on-error during rollout.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing #4998: the workflow file, .snyk policy, and security documentation. No unrelated modifications to existing workflows or application code are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Cmux Swift Actor Isolation	✅ Passed	PR adds security scanning workflow, Snyk policy, and documentation only—no Swift code changes, so actor isolation check is not applicable.
Cmux Swift Blocking Runtime	✅ Passed	PR contains no Swift source code changes (only CI workflow YAML, Snyk config, and documentation), making the blocking-runtime check inapplicable.
Cmux No Hacky Sleeps	✅ Passed	PR adds only GitHub Actions workflow (out of scope), policy config, and documentation—no TypeScript, JavaScript, shell, or build/runtime scripts with sleep/timer/polling code.
Cmux Algorithmic Complexity	✅ Passed	PR adds only configuration (GitHub Actions workflow, Snyk policy) and documentation files, not production Swift/TypeScript/JavaScript/shell/runtime code covered by the algorithmic complexity rule.
Cmux Swift Concurrency	✅ Passed	PR modifies only configuration (.snyk), workflow (.yml), and documentation (.md) files with no Swift code changes; custom check for Swift concurrency patterns is not applicable.
Cmux Swift @Concurrent	✅ Passed	No Swift code changes in this PR. The custom check for Swift @concurrent annotations only applies to .swift file modifications, and this PR modifies only YAML, plain text, and Markdown files.
Cmux Swift File And Package Boundaries	✅ Passed	PR contains no Swift code changes—only workflow (YAML), policy (.snyk), and documentation (Markdown) files. Custom check applies to production Swift changes only.
Cmux Swift Logging	✅ Passed	PR contains no Swift code changes—only GitHub Actions workflow config, Snyk policy file, and documentation. Swift logging check does not apply.
Cmux Full Internationalization	✅ Passed	All changes are operational/infrastructure: CI workflow config, Snyk policy file, and internal security docs. No user-facing Swift text, web UI, localization keys, or end-user metadata introduced.
Cmux Swiftui State Layout	✅ Passed	PR contains only GitHub Actions workflow, Snyk policy config, and documentation files—no SwiftUI source code changes, so the SwiftUI state layout check is not applicable.
Cmux Architecture Rethink	✅ Passed	PR contains no Swift code changes: only adds GitHub Actions workflow, .snyk policy config, and security docs. Architectural rethink rules don't apply to CI/configuration changes.
Cmux Swift Auxiliary Window Close Shortcuts	✅ Passed	Custom check is not applicable: PR adds only CI/CD workflow, policy, and documentation files with no Swift window/panel code changes.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issue-4998-snyk-ci-security

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/security-snyk.yml:
- Around line 31-33: The workflow Checkout step currently invokes
actions/checkout without disabling credential persistence; update the Checkout
step (the step named "Checkout" that calls
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) to add the input
persist-credentials: false so the default GITHUB_TOKEN is not written to the
repo git config for subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 715cc07f-d473-45d9-a494-442a4428f0bb

📥 Commits

Reviewing files that changed from the base of the PR and between 0c4539f and 35f74ca.

📒 Files selected for processing (3)

• .github/workflows/security-snyk.yml
• .snyk
• docs/security.md

[greptile-apps]

Greptile Summary

This PR adds a rollout-safe Snyk CI security workflow triggered on PRs and pushes to main, with safe skipping when SNYK_TOKEN is absent. It also adds a root .snyk policy scoping SAST to cmux Swift sources and a docs/security.md documenting scanner behavior.

• Snyk Code scans the repo root with SAST at high+ severity, relying on .snyk excludes to limit scope to Swift sources; SARIF is uploaded under snyk-code-swift.
• Snyk Open Source scans web/package.json as npm (using bun install-populated node_modules) at high+ severity; SARIF is uploaded under snyk-open-source-web-npm.
• Both scan steps use continue-on-error: true with missing-SARIF warning guards, and actions are SHA-pinned for supply-chain safety.

Confidence Score: 5/5

CI/CD-only change with no application runtime modifications; safe to merge once the Snyk GitHub App and SNYK_TOKEN secret are in place.

All three files are new additions to CI configuration and documentation. The workflow logic is sound: token-gated skipping works correctly for forks and pre-rollout, actions are SHA-pinned, both scan steps guard SARIF uploads with hashFiles checks, and the previously flagged bun.lock resolution gap has been addressed with --package-manager=npm and corresponding docs. No application code, auth logic, or data paths are touched.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/security-snyk.yml	New Snyk workflow with token-gated skip, SHA-pinned actions, bun install for OSS SCA, SARIF uploads per scanner, and missing-SARIF warnings; logic is sound.
.snyk	Policy file scoping Snyk Code SAST away from non-Swift directories; standard format with empty ignore/patch sections.
docs/security.md	Operational security documentation covering scanner scope, fork PR behavior, bun.lock fallback, and ignore policy; accurate relative to workflow.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant Snyk as Snyk CLI
    participant GCS as GitHub Code Scanning

    GHA->>GHA: Check SNYK_TOKEN present
    alt Token absent
        GHA->>GHA: Print skip message and exit clean
    else Token present
        GHA->>GHA: "checkout with persist-credentials=false"
        GHA->>Snyk: snyk/actions/setup
        GHA->>Snyk: "snyk code test . --severity-threshold=high --sarif-file-output=snyk-code.sarif"
        Snyk-->>GHA: snyk-code.sarif or absent on error
        alt SARIF present
            GHA->>GCS: upload-sarif snyk-code.sarif category snyk-code-swift
        else SARIF absent
            GHA->>GHA: emit warning annotation
        end
        GHA->>GHA: Setup Bun and run bun install in web/
        GHA->>Snyk: "snyk test --file=web/package.json --package-manager=npm --sarif-file-output=snyk-oss.sarif"
        Snyk-->>GHA: snyk-oss.sarif or absent on error
        alt SARIF present
            GHA->>GCS: upload-sarif snyk-oss.sarif category snyk-open-source-web-npm
        else SARIF absent
            GHA->>GHA: emit warning annotation
        end
    end

Loading

_{Reviews (4): Last reviewed commit: "ci: decouple Snyk Code from web install" | Re-trigger Greptile}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/security-snyk.yml (1)

68-78: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix Snyk OSS scan for the Bun project (missing supported lockfile + swallowed failures).

web/ contains only bun.lock and package.json (no yarn.lock/pnpm-lock.yaml), but the workflow runs snyk test --file=web/package.json for the “Snyk Open Source scan”, which can make the SCA dependency inventory incomplete versus using a Snyk-supported lockfile. Also, continue-on-error: true on the scan step prevents failures from failing CI.

Generate a Snyk-supported lockfile in web/ (e.g., create web/yarn.lock via bun install --yarn—omit --frozen-lockfile for first generation) and point Snyk at it (--file=web/yarn.lock), and remove/adjust continue-on-error: true so Snyk errors actually break the pipeline.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/security-snyk.yml around lines 68 - 78, The "Snyk Open
Source scan" step currently runs `snyk test --file=web/package.json` and uses
`continue-on-error: true`, which causes incomplete inventory for Bun projects
and hides failures; update the step to first generate a Snyk-supported lockfile
in web/ (e.g., run `bun install --yarn` in that step to create web/yarn.lock
without `--frozen-lockfile`) and change the snyk invocation to `snyk test
--file=web/yarn.lock` (keeping existing flags like `--severity-threshold=high`
and `--sarif-file-output=snyk-oss.sarif`), and remove or set `continue-on-error:
false` so scan failures fail the job.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/security-snyk.yml:
- Around line 68-78: The "Snyk Open Source scan" step currently runs `snyk test
--file=web/package.json` and uses `continue-on-error: true`, which causes
incomplete inventory for Bun projects and hides failures; update the step to
first generate a Snyk-supported lockfile in web/ (e.g., run `bun install --yarn`
in that step to create web/yarn.lock without `--frozen-lockfile`) and change the
snyk invocation to `snyk test --file=web/yarn.lock` (keeping existing flags like
`--severity-threshold=high` and `--sarif-file-output=snyk-oss.sarif`), and
remove or set `continue-on-error: false` so scan failures fail the job.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 389bd438-6cf2-48cb-aa3d-8de56f058a72

📥 Commits

Reviewing files that changed from the base of the PR and between 35f74ca and 54c6f19.

📒 Files selected for processing (1)

• .github/workflows/security-snyk.yml

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0599992. Configure here.}