💸Save up to $132K/month in CI costs!👉 Try Free
Skip to main content
← Back to workflows

How to Use Snyk in GitHub Actions

snyk/actions -
GitHub Action
Release V0.4.0
506
Contributors
Contributor - garethrContributor - JackuBContributor - benlaplanche
Categories

Optimize Your CI/CD Pipeline

Get instant insights into your CI/CD performance and costs. Reduce build times by up to 45% and save on infrastructure costs.

45% Faster Builds
60% Cost Reduction
Usage
name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

actions logo

actions

A set of GitHub actions for checking your projects for vulnerabilities


The Snyk GitHub Action integrates vulnerability monitoring and scanning into your CI workflows. Finally, find a configuration in which you use Snyk in your GitHub Actions

How to Monitor for Vulnerabilities

Use snyk monitor in your build to send your data to Snyk and be alerted whenever a new vulnerability for your projects is disclosed.

name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor

This will ensure that your project can be tested for vulnerabilities continuously. The SNYK_TOKEN environment variable should be safely kept within GitHub secret storage.

How to Use a Custom Development Environment

If you're using a mainstream development environment, then install the Snyk CLI with no further dependencies using the snack/actions/setup action:

name: Snyk example
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: snyk/actions/setup@master
- uses: actions/setup-go@v1
with:
go-version: '1.13'
- name: Snyk monitor
run: snyk test
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Here's an example to configure this in Go. You should be able to adapt that to your setup in the language you are working with so Snyk runs within your existing CI environment.

How to Obtain Your Snyk Token

Your Snyk API token:

Go to your Snyk account settings page and find the API token. Or, get the token by running snyk config and get api from the local Snyk

env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Safely store your SNYK_TOKEN in repository secrets in GitHub to prevent leakage of sensitive information.

How to Handle Pull Requests from Forks

If an action of Snyk is token-requiring, it will be broken unless one is being passed.

name: Example workflow using Snyk with continue on error
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

By setting continue-on-error: true, this means that even if Snyk is finding vulnerabilities, the workflow continues: helpful to ensure that development is not blocked by making security checks.

How to Integrate GitHub Code Scanning

Snyk Actions can also be used combined with GitHub Code Scanning to view information relating to vulnerabilities directly on the Security tab of a specific GitHub repository.

name: Example workflow using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
sarif: true

If the sarif option is set to true, this enables uploading Snyk results in the SARIF format, which makes it possible for GitHub Code Scanning to display deep information about detected vulnerabilities.

How to Enable Advanced Notifications and Reporting

This allows Snyk with Slack notifications and detailed reports uploaded to AWS S3.

name: Test Lighthouse Check
on: [pull_request]

jobs:
lighthouse-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- run: mkdir -p ${{ github.workspace }}/tmp/artifacts
- name: Run Lighthouse
uses: foo-software/lighthouse-check-action@master
with:
awsAccessKeyId: ${{ secrets.LIGHTHOUSE_CHECK_AWS_ACCESS_KEY_ID }}
awsBucket: ${{ secrets.LIGHTHOUSE_CHECK_AWS_BUCKET }}
awsRegion: ${{ secrets.LIGHTHOUSE_CHECK_AWS_REGION }}
awsSecretAccessKey: ${{ secrets.LIGHTHOUSE_CHECK_AWS_SECRET_ACCESS_KEY }}
gitAuthor: ${{ github.actor }}
gitBranch: ${{ github.ref }}
gitHubAccessToken: ${{ secrets.GITHUB_TOKEN }}
outputDirectory: ${{ github.workspace }}/tmp/artifacts
urls: 'https://www.foo.software,https://www.foo.software/contact'
sha: ${{ github.sha }}
slackWebhookUrl: ${{ secrets.LIGHTHOUSE_CHECK_WEBHOOK_URL }}

It sends fine-grained audit reports to AWS S3, and when needed, it shall alert your team over slack. Thus service incidents have increased visibility and tracking of the organization's vulnerabilities.