Add Snyk vulnerability scanning

Create a Snyk account, copy the Snyk API token into a SNYK_TOKEN GitHub Actions secret, and add a Snyk workflow that runs on pull requests with an appropriate severity threshold.

Run Snyk across monorepo packages

For a monorepo, add separate Snyk steps for each package directory such as backend and frontend so vulnerable dependencies are detected in every package before merge.

Connect SonarQube Cloud

Create a SonarQube Cloud project for the repository, generate a SONAR_TOKEN, store it as a GitHub Actions secret, and add sonar-project.properties at the repo root.

Add the SonarQube GitHub Actions workflow

Add a workflow that checks out full git history, installs dependencies, runs tests with coverage, and executes SonarSource/sonarqube-scan-action so pull requests receive a Quality Gate result.

Enable Kilo Code Review

Create a Kilo account, install the KiloConnect GitHub App, select the repositories to review, and configure the Code Review Agent with model, review style, focus areas, max review time, and optional custom instructions.

Configure Dependabot limits

Add .github/dependabot.yml with one npm ecosystem entry per package directory, set open-pull-requests-limit to 1, and group related dependency updates where useful.

Require PR checks before merge

Configure branch protection rules so Snyk, SonarQube Cloud, and code review checks must pass before changes can merge into main or develop.

Article 3 of 3 in the CI/CD series: add dependency vulnerability scanning with Snyk, static analysis with SonarQube Cloud, AI code review with Kilo, and Dependabot configured so it does not flood your board.

Dependabot

How I Added Snyk, SonarQube Cloud, and Kilo Code Review to Every PR in My Monorepo