GitHub Actions
As of December 15, 2022, the GitHub Actions integration pages are being moved from the repository to the Snyk docs site. During this process the explanations will provide the same basic information but vary in presentation. If you need help contact Snyk support.
Snyk offers a set of GitHub actions for using Snyk to check for vulnerabilities in your GitHub projects. These actions are are based on the Snyk CLI and you can use all of its options and capabilities with the
args in the properties of the action.For additional information see the GitHub Actions feature page and the GitHub custom actions documentation.
You must use a different action depending on the language or process you are using. This page provides detailed information that applies to all GitHub Actions for Open Source languages and package managers. For Open Source examples, see the pages listed in the next section, GitHub Actions for Open Source languages and package managers.
For detailed information about the Docker and IaC GitHub Actions and examples see the pages listed in the subsequent section, GitHub Actions for Snyk Container and Snyk Infrastructure as Code.
The Snyk GitHub Action for Open Source languages and package managers has properties which are passed to the underlying image using
with.Property | Default | Description |
|---|---|---|
args | | Override the default arguments to the Snyk image. See Snyk CLI commands and options summary for all options |
command | test | Specify which command to run, for instance test or monitor |
json | false | In addition to the stdout, save the results as snyk.json |
For the properties associated with the other Snyk GitHub Actions, see the pages listed in the section GitHub Actions for Snyk Container and Snyk Infrastructure as Code and Snyk Setup Action.
Examples follow of using a Snyk GitHub Action to test and monitor an Open Source project. For information on using
snyk test versus snyk monitor see What are the differences among snyk test, monitor, and protect?You can find examples specific to each language, package manager, and process on the pages listed in GitHub Actions for Open Source languages and package managers and GitHub Actions for Snyk Container and Snyk Infrastructure as Code.
Note: GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk Actions that require the token will fail to run from a forked repository.
An example follows of using a Snyk GItHub Action to test a Node.js project:
name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/[email protected]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
If you want to send data to Snyk and be alerted when new vulnerabilities are discovered, run
snyk monitor as follows:name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/[email protected]
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
By using the
args property of the action you can use all of the options and capabilities of the Snyk CLI. This example shows use of the option --severity-threshold=high.name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/nodemaster
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
Snyk GitHub Actions support integration with GitHub Code Scanning to show vulnerability information on the GitHub Security tab. The following applies to Snyk GitHub Actions for Open Source languages and package managers. For information on specific languages, package managers, and processes see the pages listed in GitHub Actions for Open Source languages and package managers and GitHub Actions for Snyk Container and Snyk Infrastructure as Code.
Using
--sarif-file-output Snyk CLI option and the GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning as shown in the example that follows.The Snyk Action fails when vulnerabilities are found. This would prevent the SARIF upload action from running. Thus you must use a continue-on-error option as shown in the example that follows.
To use this option for private repos you must have GitHub Advanced Security.
name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/nodemaster
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-[email protected]
with:
sarif_file: snyk.sarif
After you upload to GitHub Code Scanning support, you will see vulnerabilities on the GitHub Security tab as shown in the following screen image.
GitHub Security tab showing uploaded vulnerability
The Snyk GitHub Actions for each language automatically install all the required development tools for Snyk to determine the correct dependencies and hence vulnerabilities from different language environments. If you have a workflow where you already have the development tools installed, you can instead use the
snyk/actions/setup Action to install only Snyk CLI. An example follows:name: Snyk example
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- uses: snyk/actions/[email protected]
- uses: actions/setup-[email protected]
with:
go-version: '1.19'
- name: Snyk test
run: snyk test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
The example here uses
actions/setup-go. You must select the right action to install the relevant development requirements for your project. If you are already using the same pipeline to build and test your application, you are likely already installing the relevant development requirements.The Snyk GitHub Actions examples on this page refer to a Snyk API token:
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Every Snyk account has this token. Once you create an account you can find the API token in one of two ways:
- 1.In the UI, go to your Snyk account settings page and retrieve the API token, as explained in Revoking and regenerating Snyk API tokens.
- 2.
Last modified 7d ago