GitHub Actions for Snyk setup and checking for vulnerabilities

Overview of GitHub Actions Integration

Snyk offers a set of GitHub actions for using Snyk to check for vulnerabilities in your GitHub projects. These actions are based on the Snyk CLI and you can use all of its options and capabilities with the args in the properties of the action.

There is also a Snyk Setup Action.

For additional information see the GitHub Actions feature page and the GitHub custom actions documentation.

You must use a different action depending on the language or process you are using. This page provides detailed information that applies to all GitHub Actions for Open Source languages and package managers. For Open Source examples, see the pages listed in the next section, GitHub Actions for Open Source languages and package managers.

For detailed information about the Docker and IaC GitHub Actions and examples see the pages listed in the subsequent section, GitHub Actions for Snyk Container and Snyk Infrastructure as Code.

For detailed information about the Setup Action and examples, see Snyk Setup Action.

GitHub Actions for Open Source languages and package managers

GitHub Actions for Snyk Container and Snyk Infrastructure as Code

Snyk GitHub Action properties for Open Source languages and package managers

The Snyk GitHub Action for Open Source languages and package managers has properties which are passed to the underlying image using with.

Property

Default

Description

args

Override the default arguments to the Snyk image. See Snyk CLI commands and options summary for all options

command

test

Specify which command to run, for instance test or monitor

json

false

In addition to the stdout, save the results as snyk.json

For the properties associated with the other Snyk GitHub Actions, see the pages listed in the section GitHub Actions for Snyk Container and Snyk Infrastructure as Code and Snyk Setup Action.

Examples of using a Snyk GitHub Action

Examples follow of using a Snyk GitHub Action to test and monitor an Open Source project. For information on using snyk test versus snyk monitor see What are the differences among snyk test, monitor, and protect?

You can find examples specific to each language, package manager, and process on the pages listed in GitHub Actions for Open Source languages and package managers and GitHub Actions for Snyk Container and Snyk Infrastructure as Code.

Note: GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk Actions that require the token will fail to run from a forked repository.

Snyk test example

An example follows of using a Snyk GItHub Action to test a Node.js project:

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Snyk monitor example

If you want to send data to Snyk and be alerted when new vulnerabilities are discovered, run snyk monitor as follows:

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor

Example of reporting only on high severity vulnerabilities

By using the args property of the action you can use all of the options and capabilities of the Snyk CLI. This example shows use of the option --severity-threshold=high.

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

GitHub Code Scanning support

Snyk GitHub Actions support integration with GitHub Code Scanning to show vulnerability information on the GitHub Security tab. The following applies to Snyk GitHub Actions for Open Source languages and package managers. For information on specific languages, package managers, and processes see the pages listed in GitHub Actions for Open Source languages and package managers and GitHub Actions for Snyk Container and Snyk Infrastructure as Code.

Using --sarif-file-output Snyk CLI option and the GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning as shown in the example that follows.

The Snyk Action fails when vulnerabilities are found. This would prevent the SARIF upload action from running. Thus you must use a continue-on-error option as shown in the example that follows.

To use this option for private repos you must have GitHub Advanced Security.

If you see the error Advanced Security must be enabled for this repository to use code scanning, check that GitHub Advanced Security is enabled. For more information, see "Managing security and analysis settings for your repository."

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif

After you upload to GitHub Code Scanning support, you will see vulnerabilities on the GitHub Security tab as shown in the following screen image.

Use your own development environment

The Snyk GitHub Actions for each language automatically install all the required development tools for Snyk to determine the correct dependencies and hence vulnerabilities from different language environments. If you have a workflow where you already have the development tools installed, you can instead use the snyk/actions/setup Action to install only Snyk CLI. An example follows:

name: Snyk example
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: snyk/actions/setup@master
      - uses: actions/setup-go@v1
        with:
          go-version: '1.19'
      - name: Snyk test
        run: snyk test
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

The example here uses actions/setup-go. You must select the right action to install the relevant development requirements for your project. If you are already using the same pipeline to build and test your application, you are likely already installing the relevant development requirements.

Getting your Snyk token

The Snyk GitHub Actions examples on this page refer to a Snyk API token:

env:
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Every Snyk account has this token. After you have created an account with Snyk you can find the API token in one of two ways:

In the UI, go to your Snyk account settings page and retrieve the API token, as explained in Revoking and regenerating Snyk API tokens.
If you're using the Snyk CLI locally you can retrieve the API token by running snyk config get api.

PreviousCircleCI integration using a Snyk Orb NextSnyk CocoaPods Action

Last updated 1 month ago

Was this helpful?