Skip to main content
← Back to workflows

How to Use Snyk in GitHub Actions

snyk/actions -
GitHub Action
Release V0.4.0
506
Contributors
Contributor - garethrContributor - JackuBContributor - benlaplanche
Categories
GitHub
CICUBE ANALYTICS INSIGHTS
Engineering Velocity: 25% Team Time Lost to CI Issues
View Platform →
3.5h
Time Saved/Dev/Week
40%
Faster Releases
Click for next insight
Usage
name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

actions logo

actions

A set of GitHub actions for checking your projects for vulnerabilities

The Snyk GitHub Action integrates vulnerability monitoring and scanning into your CI workflows. Finally, find a configuration in which you use Snyk in your GitHub Actions

How to Monitor for Vulnerabilities

Use snyk monitor in your build to send your data to Snyk and be alerted whenever a new vulnerability for your projects is disclosed.

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor

This will ensure that your project can be tested for vulnerabilities continuously. The SNYK_TOKEN environment variable should be safely kept within GitHub secret storage.

How to Use a Custom Development Environment

If you're using a mainstream development environment, then install the Snyk CLI with no further dependencies using the snack/actions/setup action:

name: Snyk example
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - uses: snyk/actions/setup@master
      - uses: actions/setup-go@v1
        with:
          go-version: '1.13'
      - name: Snyk monitor
        run: snyk test
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Here's an example to configure this in Go. You should be able to adapt that to your setup in the language you are working with so Snyk runs within your existing CI environment.

How to Obtain Your Snyk Token

Your Snyk API token:

Go to your Snyk account settings page and find the API token. Or, get the token by running snyk config and get api from the local Snyk

env:
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Safely store your SNYK_TOKEN in repository secrets in GitHub to prevent leakage of sensitive information.

How to Handle Pull Requests from Forks

If an action of Snyk is token-requiring, it will be broken unless one is being passed.

name: Example workflow using Snyk with continue on error
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

By setting continue-on-error: true, this means that even if Snyk is finding vulnerabilities, the workflow continues: helpful to ensure that development is not blocked by making security checks.

How to Integrate GitHub Code Scanning

Snyk Actions can also be used combined with GitHub Code Scanning to view information relating to vulnerabilities directly on the Security tab of a specific GitHub repository.

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          sarif: true

If the sarif option is set to true, this enables uploading Snyk results in the SARIF format, which makes it possible for GitHub Code Scanning to display deep information about detected vulnerabilities.

How to Enable Advanced Notifications and Reporting

This allows Snyk with Slack notifications and detailed reports uploaded to AWS S3.

name: Test Lighthouse Check
on: [pull_request]

jobs:
  lighthouse-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - run: mkdir -p ${{ github.workspace }}/tmp/artifacts
      - name: Run Lighthouse
        uses: foo-software/lighthouse-check-action@master
        with:
          awsAccessKeyId: ${{ secrets.LIGHTHOUSE_CHECK_AWS_ACCESS_KEY_ID }}
          awsBucket: ${{ secrets.LIGHTHOUSE_CHECK_AWS_BUCKET }}
          awsRegion: ${{ secrets.LIGHTHOUSE_CHECK_AWS_REGION }}
          awsSecretAccessKey: ${{ secrets.LIGHTHOUSE_CHECK_AWS_SECRET_ACCESS_KEY }}
          gitAuthor: ${{ github.actor }}
          gitBranch: ${{ github.ref }}
          gitHubAccessToken: ${{ secrets.GITHUB_TOKEN }}
          outputDirectory: ${{ github.workspace }}/tmp/artifacts
          urls: 'https://www.foo.software,https://www.foo.software/contact'
          sha: ${{ github.sha }}
          slackWebhookUrl: ${{ secrets.LIGHTHOUSE_CHECK_WEBHOOK_URL }}

It sends fine-grained audit reports to AWS S3, and when needed, it shall alert your team over slack. Thus service incidents have increased visibility and tracking of the organization's vulnerabilities.