Update full-with-diff.yml

.github/workflows/full-with-diff.yml

@@ -1,53 +1,55 @@
-name: snyk-code-diff-pr-check
+name: Snyk Code PR Diff Scan
+
 on:
-  pull_request
+  pull_request:
+    branches: [ main ]
 
 jobs:
-  test-only-changes:
+  snyk-pipeline:
     runs-on: ubuntu-latest
-    steps:       
-      - name: checkout
-        uses: actions/checkout@v4
+    name: Snyk Code PR Diff Scan
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
-      - name: setup snyk
-        run: |
-          # download latest snyk cli and make it executable
-          curl https://static.snyk.io/cli/latest/snyk-linux -L -o snyk
-          chmod +x ./snyk
-          mv ./snyk /usr/local/bin/
+    steps:
+      # Checkout PR branch
+      - name: Checkout PR branch
+        uses: actions/checkout@v2
 
-      - name: snyk test
-        run: |
-          # authenticate snyk
-          snyk auth ${{ secrets.SNYK_TOKEN }}
-          # run snyk code test, export output to a sarif file and set it to not fail if issues
-          snyk code test --org=6d36ac7a-c75b-4179-8e73-6dd4d3fc8343 --sarif-file-output=snyk.sarif || true
-
-      - name: results for changed files
+      # Download and install Snyk
+      - name: Download and install Snyk
         run: |
-          curl https://github.com/stedolan/jq/releases/latest/download/jq-linux64 -L -o jq
-          chmod +x ./jq
-          mv ./jq /usr/local/bin/
-          # make our local executable
-          chmod +x "${GITHUB_WORKSPACE}/.github/scripts/codeprcheck.sh"
-          # run codeprcheck.sh which outputs an updated sarif with snyk code results on modified files  
-          # the input for codeprcheck.sh is the sarif file exported from snyk code test 
-          ${GITHUB_WORKSPACE}/.github/scripts/codeprcheck.sh snyk.sarif snykupdated.sarif
-          # list all of the contents of the workspace using long listing format (intended to help confirm updated sarif creation)
-          ls -al
-
-      - name: generate snyk report
-        run: |
-          # make our local executable
-          curl https://github.com/snyk/snyk-to-html/releases/latest/download/snyk-to-html-linux -L -o snyk-to-html
-          chmod +x ./snyk-to-html
-          mv ./snyk-to-html /usr/local/bin/
-          snyk-to-html -i snykupdated.sarif > snykreport.html
-          # list all of the contents of the workspace using long listing format (intended to help confirm updated sarif creation)
-          ls -al
-
-      - name: upload snyk report
-        uses: actions/upload-artifact@v4
+          wget -O snyk https://static.snyk.io/cli/latest/snyk-linux
+          chmod +x snyk
+          sudo mv snyk /usr/local/bin/
+
+      # Authenticate Snyk
+      - name: Authenticate Snyk
+        run: snyk auth $SNYK_TOKEN
+
+      # Run Snyk Code on PR branch
+      - name: Run Snyk Code on PR branch
+        run: snyk code test --json-file-output=${{ github.workspace }}/snyk_code_pr.json || true
+        continue-on-error: true
+
+      # Upload Snyk Code results from PR scan
+      - name: Upload Snyk Code results from PR scan
+        if: success() && steps.snyk-pipeline.outputs.exit-code != 0
+        uses: actions/upload-artifact@v2
+        with:
+          name: snyk_code_pr
+          path: ${{ github.workspace }}/snyk_code_pr.json
+
+      # Download Snyk Code results from main branch
+      - name: Download Snyk Code results from main branch
+        if: always()
+        uses: actions/download-artifact@v2
         with:
-          name: snyk-report
-          path: snykreport.html
+          name: snyk_code_baseline
+
+      # Check if new issues have been introduced via the PR
+      - name: Check for new issues introduced via the PR
+        if: always()
+        run: |
+          chmod +x ${{ github.workspace }}/.github/snyk-pr-diff-amd64-linux
+          ${{ github.workspace }}/.github/snyk-pr-diff-amd64-linux code ${{ github.workspace }}/snyk_code_baseline.json ${{ github.workspace }}/snyk_code_pr.json