Using the Snyk Infrastructure as Code Action to check for vulnerabilities
You can use the Snyk Infrastructure as Code Action to check for vulnerabilities as follows:
name:Example workflow for Snyk Infrastructure as Codeon:pushjobs:security:runs-on:ubuntu-lateststeps: - uses:actions/checkout@v2 - name:Run Snyk to check Kubernetes manifest file for issuesuses:snyk/actions/iac@masterenv:SNYK_TOKEN:${{ secrets.SNYK_TOKEN }}
Snyk Infrastructure as Code Action properties
The Snyk Infrastructure as Code Action has properties which are passed to the underlying image. These are passed to the action using with:
Examples for Snyk Infrastructure as Code Action
Specifying paths
You can specify the paths to the configuration files and directories to target during the test.
When no path is specified, the whole repository is scanned by default.
name:Example workflow for Snyk Infrastructure as Codeon:pushjobs:security:runs-on:ubuntu-lateststeps: - uses:actions/checkout@v2 - name:Run Snyk to check Kubernetes manifest file for issuesuses:snyk/actions/iac@masterenv:SNYK_TOKEN:${{ secrets.SNYK_TOKEN }}with:file:your/kubernetes-manifest.yaml your/terraform/directory
Specifying severity threshold
You can also choose to only report on high severity vulnerabilities.
name:Example workflow for Snyk Infrastructure as Codeon:pushjobs:security:runs-on:ubuntu-lateststeps: - uses:actions/checkout@v2 - name:Run Snyk to check Kubernetes manifest file for issuesuses:snyk/actions/iac@masterenv:SNYK_TOKEN:${{ secrets.SNYK_TOKEN }}with:file:your/kubernetes-manifest.yamlargs:--severity-threshold=high
name:Example workflow for Snyk Infrastructure as Codeon:pushjobs:security:runs-on:ubuntu-lateststeps: - uses:actions/checkout@v2 - name:Run Snyk to check Kubernetes manifest file for issuesuses:snyk/actions/iac@masterenv:SNYK_TOKEN:${{ secrets.SNYK_TOKEN }}with:args:--report
Specifying scan mode for Terraform Plan
You can also choose the scan mode, when scanning Terraform Plan files.
name:Example workflow for Snyk Infrastructure as Codeon:pushjobs:security:runs-on:ubuntu-lateststeps: - uses:actions/checkout@v2 - name:Run Snyk to check Kubernetes manifest file for issuesuses:snyk/actions/iac@masterenv:SNYK_TOKEN:${{ secrets.SNYK_TOKEN }}with:args:--scan=resource-changes
Uploading Snyk scan results to GitHub Code Scanning using the Snyk Infrastructure as Code Action
The Infrastructure as Code Action also supports integrating with GitHub Code Scanning and can show issues in the GitHub Security tab. When the action is run, a snyk.sarif file is generated which can be uploaded to GitHub Code Scanning:
name:Snyk Infrastructure as Codeon:pushjobs:snyk:runs-on:ubuntu-lateststeps: - uses:actions/checkout@v2 - name:Run Snyk to check configuration files for security issues# Snyk can be used to break the build when it detects security issues.# In this case we want to upload the issues to GitHub Code Scanningcontinue-on-error:trueuses:snyk/actions/iac@masterenv:SNYK_TOKEN:${{ secrets.SNYK_TOKEN }} - name:Upload result to GitHub Code Scanninguses:github/codeql-action/upload-sarif@v2with:sarif_file:snyk.sarif
To use the upload-sarif option for private repos you must have GitHub Advanced Security.
