Optimize Your CI/CD Pipeline
Get instant insights into your CI/CD performance and costs. Reduce build times by up to 45% and save on infrastructure costs.
name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
actions
A set of GitHub actions for checking your projects for vulnerabilities
The Snyk GitHub Action integrates vulnerability monitoring and scanning into your CI workflows. Finally, find a configuration in which you use Snyk in your GitHub Actions
How to Monitor for Vulnerabilities
Use snyk monitor in your build to send your data to Snyk and be alerted whenever a new vulnerability for your projects is disclosed.
name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
This will ensure that your project can be tested for vulnerabilities continuously. The SNYK_TOKEN environment variable should be safely kept within GitHub secret storage.
How to Use a Custom Development Environment
If you're using a mainstream development environment, then install the Snyk CLI with no further dependencies using the snack/actions/setup action:
name: Snyk example
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: snyk/actions/setup@master
- uses: actions/setup-go@v1
with:
go-version: '1.13'
- name: Snyk monitor
run: snyk test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Here's an example to configure this in Go. You should be able to adapt that to your setup in the language you are working with so Snyk runs within your existing CI environment.
How to Obtain Your Snyk Token
Your Snyk API token:
Go to your Snyk account settings page and find the API token. Or, get the token by running snyk config and get api from the local Snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Safely store your SNYK_TOKEN in repository secrets in GitHub to prevent leakage of sensitive information.
How to Handle Pull Requests from Forks
If an action of Snyk is token-requiring, it will be broken unless one is being passed.
name: Example workflow using Snyk with continue on error
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
By setting continue-on-error: true, this means that even if Snyk is finding vulnerabilities, the workflow continues: helpful to ensure that development is not blocked by making security checks.
How to Integrate GitHub Code Scanning
Snyk Actions can also be used combined with GitHub Code Scanning to view information relating to vulnerabilities directly on the Security tab of a specific GitHub repository.
name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
sarif: true
If the sarif option is set to true, this enables uploading Snyk results in the SARIF format, which makes it possible for GitHub Code Scanning to display deep information about detected vulnerabilities.
How to Enable Advanced Notifications and Reporting
This allows Snyk with Slack notifications and detailed reports uploaded to AWS S3.
name: Test Lighthouse Check
on: [pull_request]
jobs:
lighthouse-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- run: mkdir -p ${{ github.workspace }}/tmp/artifacts
- name: Run Lighthouse
uses: foo-software/lighthouse-check-action@master
with:
awsAccessKeyId: ${{ secrets.LIGHTHOUSE_CHECK_AWS_ACCESS_KEY_ID }}
awsBucket: ${{ secrets.LIGHTHOUSE_CHECK_AWS_BUCKET }}
awsRegion: ${{ secrets.LIGHTHOUSE_CHECK_AWS_REGION }}
awsSecretAccessKey: ${{ secrets.LIGHTHOUSE_CHECK_AWS_SECRET_ACCESS_KEY }}
gitAuthor: ${{ github.actor }}
gitBranch: ${{ github.ref }}
gitHubAccessToken: ${{ secrets.GITHUB_TOKEN }}
outputDirectory: ${{ github.workspace }}/tmp/artifacts
urls: 'https://www.foo.software,https://www.foo.software/contact'
sha: ${{ github.sha }}
slackWebhookUrl: ${{ secrets.LIGHTHOUSE_CHECK_WEBHOOK_URL }}
It sends fine-grained audit reports to AWS S3, and when needed, it shall alert your team over slack. Thus service incidents have increased visibility and tracking of the organization's vulnerabilities.