From e25726d3e96f0f49ded6fb00c30b899e05cfa188 Mon Sep 17 00:00:00 2001
From: echska <echska0109@gmail.com>
Date: Sun, 10 May 2026 00:35:31 +0300
Subject: [PATCH] Fix Snyk IaC workflow SARIF generation and upload

---
 .github/workflows/backend-docker.yml      | 52 ++++++++++++++++++++++
 .github/workflows/snyk-infrastructure.yml | 54 ++++++++---------------
 2 files changed, 70 insertions(+), 36 deletions(-)
 create mode 100644 .github/workflows/backend-docker.yml

diff --git a/.github/workflows/backend-docker.yml b/.github/workflows/backend-docker.yml
new file mode 100644
index 0000000..67a01d2
--- /dev/null
+++ b/.github/workflows/backend-docker.yml
@@ -0,0 +1,52 @@
+name: Build and Push Backend Docker Image
+
+on:
+  push:
+    branches: [ "main" ]
+    paths:
+      - "parental-control-system/backend/**"
+      - ".github/workflows/backend-docker.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/parental-control-backend
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=raw,value=latest
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: ./parental-control-system/backend
+          file: ./parental-control-system/backend/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/snyk-infrastructure.yml b/.github/workflows/snyk-infrastructure.yml
index 5f007a0..e7e16d6 100644
--- a/.github/workflows/snyk-infrastructure.yml
+++ b/.github/workflows/snyk-infrastructure.yml
@@ -1,54 +1,36 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# A sample workflow which checks out your Infrastructure as Code Configuration files,
-# such as Kubernetes, Helm & Terraform and scans them for any security issues.
-# The results are then uploaded to GitHub Security Code Scanning
-#
-# For more examples, including how to limit scans to only high-severity issues
-# and fail PR checks, see https://github.com/snyk/actions/
-
 name: Snyk Infrastructure as Code
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ main ]
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "main" ]
-  schedule:
-    - cron: '25 17 * * 1'
+    branches: [ main ]
 
 permissions:
   contents: read
+  security-events: write
+  actions: read
 
 jobs:
   snyk:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
+    container:
+      image: snyk/snyk:alpine
+
     steps:
-      - uses: actions/checkout@v4
-      - name: Run Snyk to check configuration files for security issues
-        # Snyk can be used to break the build when it detects security issues.
-        # In this case we want to upload the issues to GitHub Code Scanning
-        continue-on-error: true
-        uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Snyk IaC scan and create SARIF
         env:
-          # In order to use the Snyk Action you will need to have a Snyk API token.
-          # More details in https://github.com/snyk/actions#getting-your-snyk-token
-          # or you can signup for free at https://snyk.io/login
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          # Add the path to the configuration file that you would like to test.
-          # For example `deployment.yaml` for a Kubernetes deployment manifest
-          # or `main.tf` for a Terraform configuration file
-          file: your-file-to-test.yaml
+        run: |
+          snyk auth "$SNYK_TOKEN"
+          snyk iac test --sarif-file-output=snyk.sarif || true
+          ls -la
+
       - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
+        if: always() && hashFiles('snyk.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: snyk.sarif