GitHub Actions for Snyk setup and checking for vulnerabilities
Overview of GitHub Actions Integration
Snyk offers a set of GitHub actions for using Snyk to check for vulnerabilities in your GitHub projects. These actions are based on the Snyk CLI and you can use all of its options and capabilities with the args
in the properties of the action.
There is also a Snyk Setup Action.
For additional information see the GitHub Actions feature page and the GitHub custom actions documentation.
You must use a different action depending on the language or process you are using. This page provides detailed information that applies to all GitHub Actions for Open Source languages and package managers. For Open Source examples, see the pages listed in the next section, GitHub Actions for Open Source languages and package managers.
For detailed information about the Docker and IaC GitHub Actions and examples see the pages listed in the subsequent section, GitHub Actions for Snyk Container and Snyk Infrastructure as Code.
For detailed information about the Setup Action and examples, see Snyk Setup Action.
GitHub Actions for Open Source languages and package managers
GitHub Actions for Snyk Container and Snyk Infrastructure as Code
Snyk GitHub Action properties for Open Source languages and package managers
The Snyk GitHub Action for Open Source languages and package managers has properties which are passed to the underlying image using with
.
args
Override the default arguments to the Snyk image. See Snyk CLI commands and options summary for all options
command
test
Specify which command to run, for instance test or monitor
json
false
In addition to the stdout, save the results as snyk.json
For the properties associated with the other Snyk GitHub Actions, see the pages listed in the section GitHub Actions for Snyk Container and Snyk Infrastructure as Code and Snyk Setup Action.
Examples of using a Snyk GitHub Action
Examples follow of using a Snyk GitHub Action to test and monitor an Open Source project. For information on using snyk test
versus snyk monitor
see What are the differences among snyk test, monitor, and protect?
You can find examples specific to each language, package manager, and process on the pages listed in GitHub Actions for Open Source languages and package managers and GitHub Actions for Snyk Container and Snyk Infrastructure as Code.
Note: GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk Actions that require the token will fail to run from a forked repository.
Snyk test example
An example follows of using a Snyk GItHub Action to test a Node.js project:
Snyk monitor example
If you want to send data to Snyk and be alerted when new vulnerabilities are discovered, run snyk monitor
as follows:
Example of reporting only on high severity vulnerabilities
By using the args
property of the action you can use all of the options and capabilities of the Snyk CLI. This example shows use of the option --severity-threshold=high
.
GitHub Code Scanning support
Snyk GitHub Actions support integration with GitHub Code Scanning to show vulnerability information on the GitHub Security tab. The following applies to Snyk GitHub Actions for Open Source languages and package managers. For information on specific languages, package managers, and processes see the pages listed in GitHub Actions for Open Source languages and package managers and GitHub Actions for Snyk Container and Snyk Infrastructure as Code.
Using --sarif-file-output
Snyk CLI option and the GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning as shown in the example that follows.
The Snyk Action fails when vulnerabilities are found. This would prevent the SARIF upload action from running. Thus you must use a continue-on-error option as shown in the example that follows.
To use this option for private repos you must have GitHub Advanced Security.
If you see the error Advanced Security must be enabled for this repository to use code scanning
, check that GitHub Advanced Security is enabled. For more information, see "Managing security and analysis settings for your repository."
After you upload to GitHub Code Scanning support, you will see vulnerabilities on the GitHub Security tab as shown in the following screen image.
Use your own development environment
The Snyk GitHub Actions for each language automatically install all the required development tools for Snyk to determine the correct dependencies and hence vulnerabilities from different language environments. If you have a workflow where you already have the development tools installed, you can instead use the snyk/actions/setup
Action to install only Snyk CLI. An example follows:
The example here uses actions/setup-go
. You must select the right action to install the relevant development requirements for your project. If you are already using the same pipeline to build and test your application, you are likely already installing the relevant development requirements.
Getting your Snyk token
The Snyk GitHub Actions examples on this page refer to a Snyk API token:
Every Snyk account has this token. After you have created an account with Snyk you can find the API token in one of two ways:
In the UI, go to your Snyk account settings page and retrieve the API token, as explained in Revoking and regenerating Snyk API tokens.
If you're using the Snyk CLI locally you can retrieve the API token by running
snyk config get api
.
Last updated