Snyk Maven action

This page provides examples of using the Snyk GitHub action for Maven. For instructions on using the action and further information, see GitHub Actions for Snyk setup and checking for vulnerabilities.

Using the Snyk Maven Action to check for vulnerabilities

You can use the Snyk Maven action to check for vulnerabilities as follows:

name: Example workflow for Maven using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/maven@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

You can use the Snyk Snyk Maven action to check for only high severity vulnerabilities as follows:

name: Example workflow for Maven using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/maven@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Uploading Snyk scan results to GitHub Code Scanning using the Snyk Maven action

Using --sarif-file-output Snyk CLI option and the GitHub SARIF upload action, you can upload Snyk scan results to GitHub Code Scanning as shown in the example that follows.

The Snyk action fails when vulnerabilities are found. This would prevent the SARIF upload action from running. Thus, you must use a continue-on-error option as shown in this example: