Snyk Infrastructure as Code Action
This page provides instructions for and examples of using the Snyk GitHub Action for Infrastructure as Code. For general instructions and information see GitHub Actions integration.
In order to use the Snyk Infrastructure as Code Test Action, you must have a Snyk API token. See Getting Your Snyk Token, or you can sign up for free.
Using the Snyk Infrastructure as Code Action to check for vulnerabilities
You can use the Snyk Infrastructure as Code Action to check for vulnerabilities as follows:
Snyk Infrastructure as Code Action properties
The Snyk Infrastructure as Code Action has properties which are passed to the underlying image. These are passed to the action using with
:
args
Override the default arguments to the Snyk image.
command
"test"
Specify which command to run, currently only test
is supported.
file
The paths in which to scan files with issues.
json
false
In addition to the stdout, save the results as snyk.json
sarif
true
In addition to the stdout, save the results as snyk.sarif
Examples for Snyk Infrastructure as Code Action
Specifying paths
You can specify the paths to the configuration files and directories to target during the test. When no path is specified, the whole repository is scanned by default.
Specifying severity threshold
You can also choose to only report on high severity vulnerabilities.
Sharing test results
You can share your test results to the Snyk platform.
Specifying scan mode for Terraform Plan
You can also choose the scan mode, when scanning Terraform Plan files.
Uploading Snyk scan results to GitHub Code Scanning using the Snyk Infrastructure as Code Action
The Infrastructure as Code Action also supports integrating with GitHub Code Scanning and can show issues in the GitHub Security tab. When the action is run, a snyk.sarif
file is generated which can be uploaded to GitHub Code Scanning:
To use the upload-sarif option for private repos you must have GitHub Advanced Security.
If you see the error Advanced Security must be enabled for this repository to use code scanning
, check that GitHub Advanced Security is enabled. For more information, see "Managing security and analysis settings for your repository."
Related documentation
For more information on how to use the snyk iac test
command, see the following:
Last updated