From 6e498ede72689ba5350f4fab284d881351cc9930 Mon Sep 17 00:00:00 2001
From: Piotr Zajac <p.zajac@accenture.com>
Date: Sun, 12 Apr 2026 20:54:37 +0200
Subject: [PATCH 1/3] fix(snyk): Update action and split report upload

---
 .backlog/tasks/task-11 - Fix-snyk-workflow.md | 51 +++++++++++++++++++
 .github/workflows/snyk.yml                    | 25 ++++-----
 2 files changed, 64 insertions(+), 12 deletions(-)
 create mode 100644 .backlog/tasks/task-11 - Fix-snyk-workflow.md

diff --git a/.backlog/tasks/task-11 - Fix-snyk-workflow.md b/.backlog/tasks/task-11 - Fix-snyk-workflow.md
new file mode 100644
index 00000000..62e8106b
--- /dev/null
+++ b/.backlog/tasks/task-11 - Fix-snyk-workflow.md	
@@ -0,0 +1,51 @@
+---
+id: TASK-11
+title: Fix snyk workflow
+status: Done
+assignee:
+  - claude
+  - piotrzajac
+created_date: '2026-04-12'
+updated_date: '2026-04-12'
+labels: [ci-cd, sec]
+dependencies: []
+priority: medium
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Two issues need fixing in `.github/workflows/snyk.yml`:
+
+### Issue 1 — Deprecated action
+
+All three scan/monitor steps use `snyk/actions/dotnet@master`, which is officially
+deprecated and no longer supported by Snyk (no .NET-specific replacement exists).
+
+The recommended migration is `snyk/actions/setup@master` (installs the Snyk CLI only)
+combined with explicit `run: snyk ...` commands. Since the workflow already runs on
+`ubuntu-latest`, the Docker-based `setup` action works without any runner change.
+
+### Issue 2 — Multiple SARIF runs under the same category
+
+The single `upload-sarif` step points to the `snyk/` directory, which contains two
+SARIF files (`opensource.sarif` and `code.sarif`). GitHub Code Scanning no longer
+allows multiple SARIF runs uploaded under the same category (announced 2025-07-21),
+causing the workflow to fail with:
+
+> The CodeQL Action does not support uploading multiple SARIF runs with the same
+> category. Please update your workflow to upload a single run per category.
+
+**Fix:** replace the single directory upload with two steps, each pointing to a
+specific file with a distinct `category`. The `category` parameter creates an
+independent slot in the GitHub Advanced Security dashboard — uploads coexist and
+neither overwrites the other.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+
+- [x] #1 All three `snyk/actions/dotnet@master` steps are replaced with `snyk/actions/setup@master` + `run:` commands
+- [x] #2 The single `upload-sarif` directory step is replaced by two file-specific steps
+- [x] #3 Each upload step specifies a distinct `category` (`snyk-opensource` and `snyk-code`)
+- [x] #4 Both upload steps retain `if: ${{ always() }}` so results upload even when scans report findings
+- [x] #5 The workflow runs without error
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
index c1ec8a75..86d4f1bc 100644
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@@ -45,30 +45,31 @@ jobs:
           if ($LastExitCode -ne 0) {
             throw "dotnet restore failed with exit code $LastExitCode"
           }
+      - name: 🏗️ setup snyk
+        uses: snyk/actions/setup@master
       - name: 🔬 snyk opensource scan
-        uses: snyk/actions/dotnet@master
+        run: snyk test --sarif-file-output=snyk/opensource.sarif --all-projects --exclude=Objectivity.AutoFixture.XUnit2.AutoFakeItEasy.Tests,Objectivity.AutoFixture.XUnit2.AutoMoq.Tests,Objectivity.AutoFixture.XUnit2.AutoNSubstitute.Tests,Objectivity.AutoFixture.XUnit2.Core.Tests
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --sarif-file-output=snyk/opensource.sarif --all-projects --exclude=Objectivity.AutoFixture.XUnit2.AutoFakeItEasy.Tests,Objectivity.AutoFixture.XUnit2.AutoMoq.Tests,Objectivity.AutoFixture.XUnit2.AutoNSubstitute.Tests,Objectivity.AutoFixture.XUnit2.Core.Tests
       - name: 🔬 snyk code scan
-        uses: snyk/actions/dotnet@master
+        run: snyk code test --sarif-file-output=snyk/code.sarif
         continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --sarif-file-output=snyk/code.sarif
-          command: code test
       - name: 📈 snyk monitor
-        uses: snyk/actions/dotnet@master
+        run: snyk monitor --all-projects --exclude=Objectivity.AutoFixture.XUnit2.AutoFakeItEasy.Tests,Objectivity.AutoFixture.XUnit2.AutoMoq.Tests,Objectivity.AutoFixture.XUnit2.AutoNSubstitute.Tests,Objectivity.AutoFixture.XUnit2.Core.Tests
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: 📊 upload opensource sarif for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v4
         with:
-          args: --all-projects --exclude=Objectivity.AutoFixture.XUnit2.AutoFakeItEasy.Tests,Objectivity.AutoFixture.XUnit2.AutoMoq.Tests,Objectivity.AutoFixture.XUnit2.AutoNSubstitute.Tests,Objectivity.AutoFixture.XUnit2.Core.Tests
-          command: monitor
-      - name: 📊 upload sarif file for GitHub Advanced Security Dashboard
+          sarif_file: snyk/opensource.sarif
+          category: snyk-opensource
+        if: ${{ always() }}
+      - name: 📊 upload code sarif for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@v4
         with:
-          sarif_file: snyk
+          sarif_file: snyk/code.sarif
+          category: snyk-code
         if: ${{ always() }}

From 272327edc33e9eb4f9248af36d3f505e9cc835aa Mon Sep 17 00:00:00 2001
From: Piotr Zajac <p.zajac@accenture.com>
Date: Sun, 12 Apr 2026 20:54:37 +0200
Subject: [PATCH 2/3] fix(snyk): Guard SARIF uploads when output files are
 missing.

---
 .github/workflows/snyk.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
index 86d4f1bc..afff3987 100644
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@@ -46,7 +46,7 @@ jobs:
             throw "dotnet restore failed with exit code $LastExitCode"
           }
       - name: 🏗️ setup snyk
-        uses: snyk/actions/setup@master
+        uses: snyk/actions/setup@v1.0.0
       - name: 🔬 snyk opensource scan
         run: snyk test --sarif-file-output=snyk/opensource.sarif --all-projects --exclude=Objectivity.AutoFixture.XUnit2.AutoFakeItEasy.Tests,Objectivity.AutoFixture.XUnit2.AutoMoq.Tests,Objectivity.AutoFixture.XUnit2.AutoNSubstitute.Tests,Objectivity.AutoFixture.XUnit2.Core.Tests
         continue-on-error: true
@@ -66,10 +66,10 @@ jobs:
         with:
           sarif_file: snyk/opensource.sarif
           category: snyk-opensource
-        if: ${{ always() }}
+        if: ${{ always() && hashFiles('snyk/opensource.sarif') != '' }}
       - name: 📊 upload code sarif for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: snyk/code.sarif
           category: snyk-code
-        if: ${{ always() }}
+        if: ${{ always() && hashFiles('snyk/code.sarif') != '' }}

From 26b8f0d7f299685fa53d5160e1a1ce4fbe2ae962 Mon Sep 17 00:00:00 2001
From: Piotr Zajac <p.zajac@accenture.com>
Date: Sun, 12 Apr 2026 21:31:06 +0200
Subject: [PATCH 3/3] fix(snyk): Update setup icon

---
 .github/workflows/snyk.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
index afff3987..42aa8815 100644
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@@ -45,7 +45,7 @@ jobs:
           if ($LastExitCode -ne 0) {
             throw "dotnet restore failed with exit code $LastExitCode"
           }
-      - name: 🏗️ setup snyk
+      - name: 🛠️ setup snyk
         uses: snyk/actions/setup@v1.0.0
       - name: 🔬 snyk opensource scan
         run: snyk test --sarif-file-output=snyk/opensource.sarif --all-projects --exclude=Objectivity.AutoFixture.XUnit2.AutoFakeItEasy.Tests,Objectivity.AutoFixture.XUnit2.AutoMoq.Tests,Objectivity.AutoFixture.XUnit2.AutoNSubstitute.Tests,Objectivity.AutoFixture.XUnit2.Core.Tests