Snyk Infrastructure as Code Action

This page provides instructions for and examples of using the Snyk GitHub Action for Infrastructure as Code. For general instructions and information see GitHub Actions integration.

In order to use the Snyk Infrastructure as Code Test Action, you must have a Snyk API token. See Getting Your Snyk Token, or you can sign up for free.

Using the Snyk Infrastructure as Code Action to check for vulnerabilities

You can use the Snyk Infrastructure as Code Action to check for vulnerabilities as follows:

name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check Kubernetes manifest file for issues
        uses: snyk/actions/iac@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Snyk Infrastructure as Code Action properties

The Snyk Infrastructure as Code Action has properties which are passed to the underlying image. These are passed to the action using with:

Property Default Description

Property	Default	Description
`args`		Override the default arguments to the Snyk image.
`command`	`"test"`	Specify which command to run, currently only `test` is supported.
`file`		The paths in which to scan files with issues.
`json`	`false`	In addition to the stdout, save the results as snyk.json
`sarif`	`true`	In addition to the stdout, save the results as snyk.sarif

args

Override the default arguments to the Snyk image.

command

"test"

Specify which command to run, currently only test is supported.

file

The paths in which to scan files with issues.

json

false

In addition to the stdout, save the results as snyk.json

sarif

true

In addition to the stdout, save the results as snyk.sarif

Examples for Snyk Infrastructure as Code Action

Specifying paths

You can specify the paths to the configuration files and directories to target during the test. When no path is specified, the whole repository is scanned by default.

name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check Kubernetes manifest file for issues
        uses: snyk/actions/iac@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          file: your/kubernetes-manifest.yaml your/terraform/directory

Specifying severity threshold

You can also choose to only report on high severity vulnerabilities.

name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check Kubernetes manifest file for issues
        uses: snyk/actions/iac@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          file: your/kubernetes-manifest.yaml
          args: --severity-threshold=high

You can share your test results to the Snyk platform.

name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check Kubernetes manifest file for issues
        uses: snyk/actions/iac@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --report

Specifying scan mode for Terraform Plan

You can also choose the scan mode, when scanning Terraform Plan files.

name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check Kubernetes manifest file for issues
        uses: snyk/actions/iac@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --scan=resource-changes

Uploading Snyk scan results to GitHub Code Scanning using the Snyk Infrastructure as Code Action

The Infrastructure as Code Action also supports integrating with GitHub Code Scanning and can show issues in the GitHub Security tab. When the action is run, a snyk.sarif file is generated which can be uploaded to GitHub Code Scanning:

name: Snyk Infrastructure as Code
on: push
jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Run Snyk to check configuration files for security issues
        # Snyk can be used to break the build when it detects security issues.
        # In this case we want to upload the issues to GitHub Code Scanning
        continue-on-error: true
        uses: snyk/actions/iac@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

To use the upload-sarif option for private repos you must have GitHub Advanced Security.

If you see the error Advanced Security must be enabled for this repository to use code scanning, check that GitHub Advanced Security is enabled. For more information, see "Managing security and analysis settings for your repository."

For more information on how to use the snyk iac test command, see the following:

PreviousSnyk Docker Action NextSnyk Setup Action

Last updated 1 year ago