├── .circleci └── config.yml ├── .github ├── CODEOWNERS └── workflows │ ├── build.yaml │ ├── check-master.yaml │ └── schedule.yml ├── .gitignore ├── .gitleaksignore ├── .pre-commit-config.yaml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── _templates ├── BASE.md.erb ├── README.md.erb ├── action.yml.erb └── sarif-example.png ├── action.yml ├── build.rb ├── catalog-info.yaml ├── cocoapods ├── README.md └── action.yml ├── docker ├── README.md ├── action.yml ├── codescanning.png └── example.yml ├── dotnet ├── README.md └── action.yml ├── golang ├── README.md └── action.yml ├── gradle-jdk11 ├── README.md └── action.yml ├── gradle-jdk12 ├── README.md └── action.yml ├── gradle-jdk14 ├── README.md └── action.yml ├── gradle-jdk16 ├── README.md └── action.yml ├── gradle-jdk17 ├── README.md └── action.yml ├── gradle ├── README.md └── action.yml ├── iac ├── README.md ├── action.yml └── example.yml ├── maven-3-jdk-11 ├── README.md └── action.yml ├── maven-3-jdk-17 ├── README.md └── action.yml ├── maven-3-jdk-20 ├── README.md └── action.yml ├── maven-3-jdk-21 ├── README.md └── action.yml ├── maven-3-jdk-22 ├── README.md └── action.yml ├── maven ├── README.md └── action.yml ├── node ├── README.md └── action.yml ├── php ├── README.md └── action.yml ├── python-3.10 ├── README.md └── action.yml ├── python-3.6 ├── README.md └── action.yml ├── python-3.7 ├── README.md └── action.yml ├── python-3.8 ├── README.md └── action.yml ├── python-3.9 ├── README.md └── action.yml ├── python ├── README.md └── action.yml ├── ruby ├── README.md └── action.yml ├── sbt1.10.0-scala3.4.2 ├── README.md └── action.yml ├── scala ├── README.md └── action.yml └── setup ├── README.md ├── action.yml └── setup_snyk.sh /.circleci/config.yml: -------------------------------------------------------------------------------- 1 | version: 2.1 2 | 3 | orbs: 4 | prodsec: snyk/prodsec-orb@1 5 | 6 | jobs: 7 | security-scans: 8 | resource_class: small 9 | docker: 10 | - image: cimg/base:stable 11 | steps: 12 | - checkout 13 | - prodsec/security_scans: 14 | mode: auto 15 | 16 | workflows: 17 | cicd: 18 | jobs: 19 | - prodsec/secrets-scan: 20 | name: scan repository for secrets 21 | context: 22 | - snyk-bot-slack 23 | channel: cli-alerts 24 | 25 | - security-scans: 26 | context: devex_cli 27 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @snyk/cli 2 | -------------------------------------------------------------------------------- /.github/workflows/build.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Snyk Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: CI 16 | on: 17 | workflow_dispatch: 18 | pull_request: 19 | 20 | jobs: 21 | test-setup-action-in-pr: 22 | name: Setup Action with Ubuntu 23 | runs-on: ubuntu-latest 24 | steps: 25 | - uses: actions/checkout@v4 26 | - name: Set up Snyk CLI 27 | uses: ./setup/ 28 | - name: snyk version 29 | run: snyk --version 30 | test-setup-action-with-alpine: 31 | name: Setup Action with Alpine 32 | runs-on: ubuntu-latest 33 | container: 34 | image: alpine:latest 35 | steps: 36 | - uses: actions/checkout@v4 37 | - name: Install dependencies 38 | run: apk update && apk add curl bash 39 | - name: Set up Snyk CLI 40 | uses: ./setup/ 41 | with: 42 | os: Alpine 43 | - name: snyk version 44 | run: snyk --version 45 | test-setup-action-no-sudo: 46 | name: Setup Action with Debian (no sudo) 47 | runs-on: ubuntu-latest 48 | container: 49 | image: debian:latest 50 | steps: 51 | - uses: actions/checkout@v4 52 | - name: Install curl 53 | run: apt-get update && apt-get install curl --yes 54 | - name: Set up Snyk CLI 55 | uses: ./setup/ 56 | - name: snyk version 57 | run: snyk --version 58 | test-setup-action-macos: 59 | name: Setup Action with Macos 60 | runs-on: macos-latest 61 | steps: 62 | - uses: actions/checkout@v4 63 | - name: Install dependencies 64 | run: brew install coreutils 65 | - name: Set up Snyk CLI 66 | uses: ./setup/ 67 | - name: snyk version 68 | run: snyk --version -------------------------------------------------------------------------------- /.github/workflows/check-master.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Snyk Ltd. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | name: Check if setup works on master 16 | on: 17 | workflow_dispatch: 18 | pull_request: 19 | 20 | jobs: 21 | test-setup-action: 22 | name: test-setup-action 23 | runs-on: ubuntu-latest 24 | steps: 25 | - name: Set up Snyk CLI 26 | uses: snyk/actions/setup@master -------------------------------------------------------------------------------- /.github/workflows/schedule.yml: -------------------------------------------------------------------------------- 1 | name: "Generate Snyk GitHub Actions" 2 | on: 3 | push: 4 | branches: 5 | - master 6 | workflow_dispatch: 7 | 8 | jobs: 9 | actions: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@master 13 | - name: Set up Ruby 14 | uses: ruby/setup-ruby@v1 15 | with: 16 | ruby-version: '2.6' 17 | - name: Render latest template 18 | run: | 19 | ruby build.rb 20 | - name: Commit to repository 21 | env: 22 | GITHUB_TOKEN: ${{ secrets.GH_TOKEN_HAMMERHEAD }} 23 | COMMIT_MSG: | 24 | Generated new GitHub Actions templates 25 | skip-checks: true 26 | run: | 27 | # Hard-code user config 28 | git config user.email "team-hammerhead@snyk.io" 29 | git config user.name "Team Hammerhead" 30 | git config --get-regexp "user\.(name|email)" 31 | git config --global safe.directory $PWD 32 | # Update origin with token 33 | git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git 34 | # Checkout the branch so we can push back to it 35 | git checkout master 36 | git add . 37 | # Only commit and push if we have changes 38 | git diff --quiet && git diff --staged --quiet || (git commit -m "${COMMIT_MSG}"; git push origin master) 39 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | .dccache 3 | -------------------------------------------------------------------------------- /.gitleaksignore: -------------------------------------------------------------------------------- 1 | # add false positives here 2 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # See https://pre-commit.com for more information 2 | # See https://pre-commit.com/hooks.html for more hooks 3 | repos: 4 | - repo: https://github.com/gitleaks/gitleaks 5 | rev: v8.17.0 6 | hooks: 7 | - id: gitleaks 8 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | `daniel.appelquist snyk.io`. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. 129 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to [APPLICATION_NAME] 2 | 3 | Welcome, and thank you for your interest in contributing! 4 | 5 | The goal of this document is to provide a high-level overview of how you can contribute and explain how we accept contribution. 6 | 7 | # Reporting issues 8 | Please use [official Snyk support website](https://support.snyk.io) to report any issues. Our technical support team will work together with you to resolve an issue, or pass it on to our engineers for resolution. 9 | 10 | You can find recommended information to include in the ticket on the [technical support guide page](https://support.snyk.io/hc/en-us/articles/5930557657885-Snyk-Technical-Support-Guide). 11 | 12 | # Providing feedback or suggestions 13 | Similarly to bug reports, we accept improvement suggestions and feedback via [the official support website](https://support.snyk.io). 14 | 15 | Please refer to the [support knowledge base](https://support.snyk.io/) and [user docs](https://docs.snyk.io) to verify that your suggestion isn't already part of our product before submitting a ticket with us. 16 | 17 | # Contributing code changes 18 | We are thrilled that you are interested in contributing code changes! Because this project is part of Snyk’s overall software offering, we want to make sure that your contribution aligns with our vision and product strategy, so please reach out to us before submitting a pull request. If you’re thinking of contributing a new feature, contact [our support](https://support.snyk.io) with a detailed explanation of your planned contribution and we'll be happy to discuss it with you. If you’re thinking of contributing a bug fix, we’d still like you to raise a support ticket first, as it’s possible we may already be working on a fix. 19 | 20 | Once we've confirmed that we're ready to accept your contribution, feel free to open a pull request and link it in the support ticket. We're excited to work with you to get your contribution merged and make our project even better! 21 | 22 | ## Contributor License Agreement 23 | As part of the PR process, you'll need to sign a Contributor License Agreement (CLA). It is an automated process and you'll only need to do it once, when contributing first time. You won't need to sign it in future when contributing to other Snyk projects. 24 | 25 | ## Pipeline checks 26 | We don't allow external contributors to run pipeline status checks on your PR for security reasons. We'll run them on your behalf when you mark your PR changes as ready for us. 27 | 28 | ## Code of Conduct 29 | Please make sure to read and follow the [Code of Conduct](./code-of-conduct.md). 30 | 31 | ## Contribution instructions 32 | If your proposal for contribution has been accepted, read the instructions below on how to work with and contribute to this project. 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Snyk Actions - Check for vulnerabilites in your GitHub Actions workflow 2 | 3 | Copyright (C) 2019 Gareth Rushgrove 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | https://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Snyk GitHub Actions 2 | 3 | ![](https://github.com/snyk/actions/workflows/Generate%20Snyk%20GitHub%20Actions/badge.svg) 4 | 5 | A set of [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 6 | vulnerabilities in your GitHub projects. A different action is required depending on which language or build tool 7 | you are using. We currently support: 8 | 9 | 10 | - [CocoaPods](cocoapods) 11 | - [dotNET](dotnet) 12 | - [Golang](golang) 13 | - [Gradle](gradle) 14 | - [Gradle-jdk11](gradle-jdk11) 15 | - [Gradle-jdk12](gradle-jdk12) 16 | - [Gradle-jdk14](gradle-jdk14) 17 | - [Gradle-jdk16](gradle-jdk16) 18 | - [Gradle-jdk17](gradle-jdk17) 19 | - [Maven](maven) 20 | - [Maven-3-jdk-11](maven-3-jdk-11) 21 | - [Maven-3-jdk-17](maven-3-jdk-17) 22 | - [Maven-3-jdk-20](maven-3-jdk-20) 23 | - [Maven-3-jdk-21](maven-3-jdk-21) 24 | - [Maven-3-jdk-22](maven-3-jdk-22) 25 | - [Node](node) 26 | - [PHP](php) 27 | - [Python](python) 28 | - [Python-3.6](python-3.6) 29 | - [Python-3.7](python-3.7) 30 | - [Python-3.8](python-3.8) 31 | - [Python-3.9](python-3.9) 32 | - [Python-3.10](python-3.10) 33 | - [Ruby](ruby) 34 | - [Scala](scala) 35 | - [SBT1.10.0-Scala3.4.2](sbt1.10.0-scala3.4.2) 36 | - [Docker](docker) 37 | - [Infrastructure as Code](iac) 38 | - [Setup](setup) 39 | 40 | Here's an example of using one of the Actions, in this case to test a Node.js project: 41 | 42 | ```yaml 43 | name: Example workflow using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/node@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | ``` 55 | 56 | If you want to send data to Snyk, and be alerted when new vulnerabilities are discovered, you can run [Snyk monitor](https://support.snyk.io/hc/en-us/articles/360000920818-What-is-the-difference-between-snyk-test-protect-and-monitor-) like so: 57 | 58 | ```yaml 59 | name: Example workflow using Snyk 60 | on: push 61 | jobs: 62 | security: 63 | runs-on: ubuntu-latest 64 | steps: 65 | - uses: actions/checkout@master 66 | - name: Run Snyk to check for vulnerabilities 67 | uses: snyk/actions/node@master 68 | env: 69 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 70 | with: 71 | command: monitor 72 | ``` 73 | 74 | See the individual Actions linked above for per-language instructions. 75 | 76 | Note that GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk actions that require the token will fail to run. 77 | 78 | ### Bring your own development environment 79 | 80 | The per-language Actions automatically install all the required development tools for Snyk to determine the correct dependencies and hence vulnerabilities from different language environments. If you have a workflow where you already have those installed then you can instead use the `snyk/actions/setup` Action to just install [Snyk CLI][cli-gh]: 81 | 82 | ```yaml 83 | name: Snyk example 84 | on: push 85 | jobs: 86 | security: 87 | runs-on: ubuntu-latest 88 | steps: 89 | - uses: actions/checkout@master 90 | - uses: snyk/actions/setup@master 91 | - uses: actions/setup-go@v1 92 | with: 93 | go-version: '1.13' 94 | - name: Snyk monitor 95 | run: snyk test 96 | env: 97 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 98 | ``` 99 | 100 | The example here uses `actions/setup-go`, you would need to select the right actions to install the relevant development requirements for your project. If you are already using the same pipeline to build and test your application you're likely already doing so. 101 | 102 | ### Getting your Snyk token 103 | 104 | The Actions example above refer to a Snyk API token: 105 | 106 | ```yaml 107 | env: 108 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 109 | ``` 110 | 111 | Every Snyk account has this token. Once you [create an account](https://snyk.co/SignUpGH) you can find it in one of two ways: 112 | 113 | 1. In the UI, go to your Snyk account's [settings page](https://app.snyk.io/account) and retrieve the API token, as shown in the following [Revoking and regenerating Snyk API tokens](https://support.snyk.io/hc/en-us/articles/360004008278-Revoking-and-regenerating-Snyk-API-tokens). 114 | 2. If you're using the [Snyk CLI](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI) locally you can retrieve it by running `snyk config get api`. 115 | 116 | ### GitHub Code Scanning support 117 | 118 | All Snyk GitHub Actions support integration with GitHub Code Scanning to show vulnerability information in the GitHub Security tab. You can see full details on the individual action READMEs linked above. 119 | 120 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](_templates/sarif-example.png) 121 | 122 | ### Continuing on error 123 | 124 | The above examples will fail the workflow when issues are found. If you want to ensure the Action continues, even if Snyk finds vulnerabilities, then [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) can be used.. 125 | 126 | ```yaml 127 | name: Example workflow using Snyk with continue on error 128 | on: push 129 | jobs: 130 | security: 131 | runs-on: ubuntu-latest 132 | steps: 133 | - uses: actions/checkout@master 134 | - name: Run Snyk to check for vulnerabilities 135 | uses: snyk/actions/node@master 136 | continue-on-error: true 137 | env: 138 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 139 | ``` 140 | 141 | Made with 💜 by Snyk 142 | 143 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 144 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 145 | -------------------------------------------------------------------------------- /_templates/BASE.md.erb: -------------------------------------------------------------------------------- 1 | # Snyk GitHub Actions 2 | 3 | ![](https://github.com/snyk/actions/workflows/Generate%20Snyk%20GitHub%20Actions/badge.svg) 4 | 5 | A set of [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 6 | vulnerabilities in your GitHub projects. A different action is required depending on which language or build tool 7 | you are using. We currently support: 8 | 9 | <% @variants.each do | variant | %> 10 | - [<%= variant %>](<%= variant.downcase %>)<% end %> 11 | - [Docker](docker) 12 | - [Infrastructure as Code](iac) 13 | - [Setup](setup) 14 | 15 | Here's an example of using one of the Actions, in this case to test a Node.js project: 16 | 17 | ```yaml 18 | name: Example workflow using Snyk 19 | on: push 20 | jobs: 21 | security: 22 | runs-on: ubuntu-latest 23 | steps: 24 | - uses: actions/checkout@master 25 | - name: Run Snyk to check for vulnerabilities 26 | uses: snyk/actions/node@master 27 | env: 28 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 29 | ``` 30 | 31 | If you want to send data to Snyk, and be alerted when new vulnerabilities are discovered, you can run [Snyk monitor](https://support.snyk.io/hc/en-us/articles/360000920818-What-is-the-difference-between-snyk-test-protect-and-monitor-) like so: 32 | 33 | ```yaml 34 | name: Example workflow using Snyk 35 | on: push 36 | jobs: 37 | security: 38 | runs-on: ubuntu-latest 39 | steps: 40 | - uses: actions/checkout@master 41 | - name: Run Snyk to check for vulnerabilities 42 | uses: snyk/actions/node@master 43 | env: 44 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 45 | with: 46 | command: monitor 47 | ``` 48 | 49 | See the individual Actions linked above for per-language instructions. 50 | 51 | Note that GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk actions that require the token will fail to run. 52 | 53 | ### Bring your own development environment 54 | 55 | The per-language Actions automatically install all the required development tools for Snyk to determine the correct dependencies and hence vulnerabilities from different language environments. If you have a workflow where you already have those installed then you can instead use the `snyk/actions/setup` Action to just install [Snyk CLI][cli-gh]: 56 | 57 | ```yaml 58 | name: Snyk example 59 | on: push 60 | jobs: 61 | security: 62 | runs-on: ubuntu-latest 63 | steps: 64 | - uses: actions/checkout@master 65 | - uses: snyk/actions/setup@master 66 | - uses: actions/setup-go@v1 67 | with: 68 | go-version: '1.13' 69 | - name: Snyk monitor 70 | run: snyk test 71 | env: 72 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 73 | ``` 74 | 75 | The example here uses `actions/setup-go` would you would need to select the right actions to install the relevant development requirements for your project. If you are already using the same pipeline to build and test your application you're likely already doing so. 76 | 77 | ### Getting your Snyk token 78 | 79 | The Actions example above refer to a Snyk API token: 80 | 81 | ```yaml 82 | env: 83 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 84 | ``` 85 | 86 | Every Snyk account has this token. Once you [create an account](https://snyk.co/SignUpGH) you can find it in one of two ways: 87 | 88 | 1. In the UI, go to your Snyk account's [settings page](https://app.snyk.io/account) and retrieve the API token, as shown in the following [Revoking and regenerating Snyk API tokens](https://support.snyk.io/hc/en-us/articles/360004008278-Revoking-and-regenerating-Snyk-API-tokens). 89 | 2. If you're using the [Snyk CLI](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI) locally you can retrieve it by running `snyk config get api`. 90 | 91 | ### GitHub Code Scanning support 92 | 93 | All Snyk GitHub Actions support integration with GitHub Code Scanning to show vulnerability information in the GitHub Security tab. You can see full details on the individual action READMEs linked above. 94 | 95 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](_templates/sarif-example.png) 96 | 97 | ### Continuing on error 98 | 99 | The above examples will fail the workflow when issues are found. If you want to ensure the Action continues, even if Snyk finds vulnerabilities, then [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) can be used.. 100 | 101 | ```yaml 102 | name: Example workflow using Snyk with continue on error 103 | on: push 104 | jobs: 105 | security: 106 | runs-on: ubuntu-latest 107 | steps: 108 | - uses: actions/checkout@master 109 | - name: Run Snyk to check for vulnerabilities 110 | uses: snyk/actions/node@master 111 | continue-on-error: true 112 | env: 113 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 114 | ``` 115 | 116 | Made with 💜 by Snyk 117 | 118 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 119 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 120 | -------------------------------------------------------------------------------- /_templates/README.md.erb: -------------------------------------------------------------------------------- 1 | # Snyk <%= @name %><% if @ident %> (<%= @ident %>) <% end %> Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your <%= @variant %> projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | <% if @name == "Python" %> > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | <% end %> 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for <%= @name %> using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/<%= @variant.downcase %>@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk <%= @name %> Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for <%= @name %> using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/<%= @variant.downcase %>@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for <%= @name %> using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/<%= @variant.downcase %>@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /_templates/action.yml.erb: -------------------------------------------------------------------------------- 1 | name: "Snyk<% if @variant != "Node"%> <%= @name %><% if @ident %> (<%= @ident %>)<% end %><% end %>" 2 | description: "Check your <%= @name %> application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:<%= @variant.downcase %>" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: <%= @variant.downcase %> 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /_templates/sarif-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk/actions/cdb760004ba9ea4d525f2e043745dfe85bb9077e/_templates/sarif-example.png -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk" 2 | description: "Check your applications for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:node" 19 | env: 20 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 21 | SNYK_INTEGRATION_VERSION: node 22 | args: 23 | - snyk 24 | - ${{ inputs.command }} 25 | - ${{ inputs.args }} 26 | -------------------------------------------------------------------------------- /build.rb: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env ruby 2 | 3 | # 4 | # This script generates GitHub Actions for the currently supported 5 | # set of Snyk images. The Actions all have the same interface. 6 | # 7 | 8 | require "erb" 9 | require 'fileutils' 10 | 11 | 12 | @variants = [ 13 | "CocoaPods", 14 | "dotNET", 15 | "Golang", 16 | "Gradle", 17 | "Gradle-jdk11", 18 | "Gradle-jdk12", 19 | "Gradle-jdk14", 20 | "Gradle-jdk16", 21 | "Gradle-jdk17", 22 | "Maven", 23 | "Maven-3-jdk-11", 24 | "Maven-3-jdk-17", 25 | "Maven-3-jdk-20", 26 | "Maven-3-jdk-21", 27 | "Maven-3-jdk-22", 28 | "Node", 29 | "PHP", 30 | "Python", 31 | "Python-3.6", 32 | "Python-3.7", 33 | "Python-3.8", 34 | "Python-3.9", 35 | "Python-3.10", 36 | "Ruby", 37 | "Scala", 38 | "SBT1.10.0-Scala3.4.2", 39 | ] 40 | 41 | templatename = File.join("_templates", "BASE.md.erb") 42 | renderer = ERB.new(File.read(templatename)) 43 | File.open("README.md", "w") { |file| file.puts renderer.result() } 44 | 45 | @variants.each do | variant | 46 | puts "Generating Action for #{variant}" 47 | 48 | dirname = variant.downcase 49 | unless File.directory?(dirname) 50 | FileUtils.mkdir_p(dirname) 51 | end 52 | @variant = variant 53 | @name, @ident = variant.split("-", 2) 54 | [ 55 | "action.yml", 56 | "README.md", 57 | ].each do | name | 58 | templatename = File.join("_templates", "#{name}.erb") 59 | renderer = ERB.new(File.read(templatename)) 60 | filename = File.join(dirname, name) 61 | File.open(filename, "w") { |file| 62 | file.puts renderer.result() 63 | } 64 | end 65 | end 66 | 67 | # 68 | # Currently in order to submit Actions to the marketplace you need to have a file 69 | # called action.yml in the root of your directory 70 | # 71 | #puts "Generating root Action" 72 | #FileUtils.cp("node/action.yml", ".") 73 | -------------------------------------------------------------------------------- /catalog-info.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: backstage.io/v1alpha1 2 | kind: Component 3 | metadata: 4 | name: actions 5 | annotations: 6 | github.com/project-slug: snyk/actions 7 | github.com/team-slug: snyk/cli 8 | spec: 9 | type: supply-chain-tooling 10 | lifecycle: "-" 11 | owner: cli 12 | -------------------------------------------------------------------------------- /cocoapods/README.md: -------------------------------------------------------------------------------- 1 | # Snyk CocoaPods Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your CocoaPods projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for CocoaPods using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/cocoapods@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk CocoaPods Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for CocoaPods using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/cocoapods@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for CocoaPods using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/cocoapods@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /cocoapods/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk CocoaPods" 2 | description: "Check your CocoaPods application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:cocoapods" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: cocoapods 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Docker Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.io) to check for 4 | vulnerabilities in your Docker images. 5 | 6 | You can use the Action as follows: 7 | 8 | ```yaml 9 | name: Example workflow for Docker using Snyk 10 | on: push 11 | jobs: 12 | security: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - name: Run Snyk to check Docker image for vulnerabilities 16 | uses: snyk/actions/docker@master 17 | env: 18 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 19 | with: 20 | image: your/image-to-test 21 | ``` 22 | 23 | The Snyk Docker Action has properties which are passed to the underlying image. These are 24 | passed to the action using `with`. 25 | 26 | | Property | Default | Description | 27 | | --- | --- | --- | 28 | | args | | Override the default arguments to the Snyk image | 29 | | command | test | Specifiy which command to run, for instance test or monitor | 30 | | image | | The name of the image to test | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | | sarif | true | In addition to the stdout, save the results as snyk.sarif | 33 | 34 | For example, you can choose to only report on high severity vulnerabilities. 35 | 36 | ```yaml 37 | name: Example workflow for Docker using Snyk 38 | on: push 39 | jobs: 40 | security: 41 | runs-on: ubuntu-latest 42 | steps: 43 | - name: Run Snyk to check Docker images for vulnerabilities 44 | uses: snyk/actions/docker@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | image: your/image-to-test 49 | args: --severity-threshold=high 50 | ``` 51 | 52 | The Docker Action also supports integrating with GitHub Code Scanning and can show issues in the GitHub Security tab. As long as you reference a Dockerfile with `--file=Dockerfile` then a `snyk.sarif` file will be generated which can be uploaded to GitHub Code Scanning. 53 | 54 | ![GitHub Code Scanning and Snyk](codescanning.png) 55 | 56 | ```yaml 57 | name: Snyk Container 58 | on: push 59 | jobs: 60 | snyk: 61 | runs-on: ubuntu-latest 62 | steps: 63 | - uses: actions/checkout@v2 64 | - name: Build a Docker image 65 | run: docker build -t your/image-to-test . 66 | - name: Run Snyk to check Docker image for vulnerabilities 67 | # Snyk can be used to break the build when it detects vulnerabilities. 68 | # In this case we want to upload the issues to GitHub Code Scanning 69 | continue-on-error: true 70 | uses: snyk/actions/docker@master 71 | env: 72 | # In order to use the Snyk Action you will need to have a Snyk API token. 73 | # More details in https://github.com/snyk/actions#getting-your-snyk-token 74 | # or you can signup for free at https://snyk.io/login 75 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 76 | with: 77 | image: your/image-to-test 78 | args: --file=Dockerfile 79 | - name: Upload result to GitHub Code Scanning 80 | uses: github/codeql-action/upload-sarif@v2 81 | with: 82 | sarif_file: snyk.sarif 83 | ``` 84 | -------------------------------------------------------------------------------- /docker/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Docker" 2 | description: "Check your Docker images for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | image: 14 | description: "Image to test" 15 | json: 16 | description: "Output a snyk.json file with results if running the test command" 17 | default: false 18 | sarif: 19 | description: "Output a snyk.sarif file with results if running the test command" 20 | default: true 21 | runs: 22 | using: "docker" 23 | image: "docker://snyk/snyk:docker" 24 | env: 25 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 26 | SNYK_INTEGRATION_VERSION: docker 27 | args: 28 | - snyk 29 | - ${{ inputs.command }} 30 | - ${{ inputs.args }} 31 | - --docker 32 | - ${{ inputs.image }} 33 | -------------------------------------------------------------------------------- /docker/codescanning.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/snyk/actions/cdb760004ba9ea4d525f2e043745dfe85bb9077e/docker/codescanning.png -------------------------------------------------------------------------------- /docker/example.yml: -------------------------------------------------------------------------------- 1 | # A sample workflow which checks out the code, builds a container 2 | # image using Docker and scans that image for vulnerabilities using 3 | # Snyk. The results are then uploaded to GitHub Security Code Scanning 4 | # 5 | # For more examples, including how to limit scans to only high-severity 6 | # issues, monitor images for newly disclosed vulnerabilities in Snyk and 7 | # fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ 8 | 9 | name: Snyk Container 10 | on: push 11 | jobs: 12 | snyk: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Build a Docker image 17 | run: docker build -t your/image-to-test . 18 | - name: Run Snyk to check Docker image for vulnerabilities 19 | # Snyk can be used to break the build when it detects vulnerabilities. 20 | # In this case we want to upload the issues to GitHub Code Scanning 21 | continue-on-error: true 22 | uses: snyk/actions/docker@master 23 | env: 24 | # In order to use the Snyk Action you will need to have a Snyk API token. 25 | # More details in https://github.com/snyk/actions#getting-your-snyk-token 26 | # or you can signup for free at https://snyk.io/login 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | with: 29 | image: your/image-to-test 30 | args: --file=Dockerfile 31 | - name: Upload result to GitHub Code Scanning 32 | uses: github/codeql-action/upload-sarif@v2 33 | with: 34 | sarif_file: snyk.sarif 35 | -------------------------------------------------------------------------------- /dotnet/README.md: -------------------------------------------------------------------------------- 1 | # Snyk dotNET Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your dotNET projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for dotNET using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/dotnet@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk dotNET Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for dotNET using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/dotnet@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for dotNET using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/dotnet@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /dotnet/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk dotNET" 2 | description: "Check your dotNET application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:dotnet" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: dotnet 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /golang/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Golang Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Golang projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Golang using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/golang@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Golang Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Golang using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/golang@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Golang using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/golang@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /golang/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Golang" 2 | description: "Check your Golang application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:golang" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: golang 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /gradle-jdk11/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Gradle (jdk11) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Gradle-jdk11 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Gradle using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/gradle-jdk11@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Gradle Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Gradle using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/gradle-jdk11@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Gradle using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/gradle-jdk11@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /gradle-jdk11/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Gradle (jdk11)" 2 | description: "Check your Gradle application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:gradle-jdk11" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: gradle-jdk11 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /gradle-jdk12/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Gradle (jdk12) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Gradle-jdk12 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Gradle using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/gradle-jdk12@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Gradle Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Gradle using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/gradle-jdk12@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Gradle using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/gradle-jdk12@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /gradle-jdk12/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Gradle (jdk12)" 2 | description: "Check your Gradle application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:gradle-jdk12" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: gradle-jdk12 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /gradle-jdk14/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Gradle (jdk14) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Gradle-jdk14 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Gradle using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/gradle-jdk14@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Gradle Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Gradle using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/gradle-jdk14@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Gradle using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/gradle-jdk14@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /gradle-jdk14/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Gradle (jdk14)" 2 | description: "Check your Gradle application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:gradle-jdk14" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: gradle-jdk14 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /gradle-jdk16/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Gradle (jdk16) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Gradle-jdk16 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Gradle using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/gradle-jdk16@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Gradle Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Gradle using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/gradle-jdk16@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Gradle using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/gradle-jdk16@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /gradle-jdk16/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Gradle (jdk16)" 2 | description: "Check your Gradle application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:gradle-jdk16" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: gradle-jdk16 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /gradle-jdk17/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Gradle (jdk17) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Gradle-jdk17 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Gradle using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/gradle-jdk17@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Gradle Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Gradle using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/gradle-jdk17@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Gradle using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/gradle-jdk17@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /gradle-jdk17/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Gradle (jdk17)" 2 | description: "Check your Gradle application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:gradle-jdk17" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: gradle-jdk17 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /gradle/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Gradle Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Gradle projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Gradle using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/gradle@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Gradle Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Gradle using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/gradle@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Gradle using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/gradle@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /gradle/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Gradle" 2 | description: "Check your Gradle application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:gradle" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: gradle 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /iac/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Infrastructure as Code Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.io) to check for 4 | issues in your Infrastructure as Code files. 5 | 6 | You can use the Action as follows: 7 | 8 | ```yaml 9 | name: Example workflow for Snyk Infrastructure as Code 10 | on: push 11 | jobs: 12 | security: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@v2 16 | - name: Run Snyk to check Kubernetes manifest file for issues 17 | uses: snyk/actions/iac@master 18 | env: 19 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 20 | ``` 21 | 22 | In order to use the Snyk Infrastructure as Code Test Action, you will need to have a Snyk API token. 23 | More details in [Getting Your Snyk Token](https://github.com/snyk/actions#getting-your-snyk-token), or you can [sign up for free](https://snyk.io/login). 24 | 25 | 26 | The Snyk Infrastructure as Code Action has properties which are passed to the underlying image. These are 27 | passed to the action using `with`: 28 | 29 | | Property | Default | Description | 30 | |-----------|----------|-------------------------------------------------------------------| 31 | | `args` | | Override the default arguments to the Snyk image. | 32 | | `command` | `"test"` | Specify which command to run, currently only `test` is supported. | 33 | | `file` | | The paths in which to scan files with issues. | 34 | | `json` | `false` | In addition to the stdout, save the results as snyk.json | 35 | | `sarif` | `true` | In addition to the stdout, save the results as snyk.sarif | 36 | 37 | ## Examples 38 | ### Specifying paths 39 | You can specify the paths to the configuration files and directories to target during the test. 40 | When no path is specified, the whole repository is scanned by default: 41 | 42 | ```yaml 43 | name: Example workflow for Snyk Infrastructure as Code 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@v2 50 | - name: Run Snyk to check Kubernetes manifest file for issues 51 | uses: snyk/actions/iac@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | file: your/kubernetes-manifest.yaml your/terraform/directory 56 | ``` 57 | 58 | ### Specifying severity threshold 59 | You can also choose to only report on high severity vulnerabilities: 60 | 61 | ```yaml 62 | name: Example workflow for Snyk Infrastructure as Code 63 | on: push 64 | jobs: 65 | security: 66 | runs-on: ubuntu-latest 67 | steps: 68 | - uses: actions/checkout@v2 69 | - name: Run Snyk to check Kubernetes manifest file for issues 70 | uses: snyk/actions/iac@master 71 | env: 72 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 73 | with: 74 | file: your/kubernetes-manifest.yaml 75 | args: --severity-threshold=high 76 | ``` 77 | ### Sharing test results 78 | You can [share your test results](https://docs.snyk.io/products/snyk-infrastructure-as-code/share-cli-results-with-the-snyk-web-ui) to the Snyk platform: 79 | 80 | ```yaml 81 | name: Example workflow for Snyk Infrastructure as Code 82 | on: push 83 | jobs: 84 | security: 85 | runs-on: ubuntu-latest 86 | steps: 87 | - uses: actions/checkout@v2 88 | - name: Run Snyk to check Kubernetes manifest file for issues 89 | uses: snyk/actions/iac@master 90 | env: 91 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 92 | with: 93 | args: --report 94 | ``` 95 | ### Specifying scan mode for Terraform Plan 96 | You can also choose the [scan mode](https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code/test-your-terraform-files-with-the-cli-tool#terraform-plan), when scanning Terraform Plan files: 97 | 98 | ```yaml 99 | name: Example workflow for Snyk Infrastructure as Code 100 | on: push 101 | jobs: 102 | security: 103 | runs-on: ubuntu-latest 104 | steps: 105 | - uses: actions/checkout@v2 106 | - name: Run Snyk to check Kubernetes manifest file for issues 107 | uses: snyk/actions/iac@master 108 | env: 109 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 110 | with: 111 | args: --scan=resource-changes 112 | ``` 113 | 114 | ### Integrating with GitHub Code Scanning 115 | 116 | The Infrastructure as Code Action also supports integrating with GitHub Code Scanning and can show issues in the GitHub Security tab. When run, a `snyk.sarif` file will be generated which can be uploaded to GitHub Code Scanning: 117 | 118 | ```yaml 119 | name: Snyk Infrastructure as Code 120 | on: push 121 | jobs: 122 | snyk: 123 | runs-on: ubuntu-latest 124 | steps: 125 | - uses: actions/checkout@v2 126 | - name: Run Snyk to check configuration files for security issues 127 | # Snyk can be used to break the build when it detects security issues. 128 | # In this case we want to upload the issues to GitHub Code Scanning 129 | continue-on-error: true 130 | uses: snyk/actions/iac@master 131 | env: 132 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 133 | - name: Upload result to GitHub Code Scanning 134 | uses: github/codeql-action/upload-sarif@v2 135 | with: 136 | sarif_file: snyk.sarif 137 | ``` 138 | 139 | ## Related Documentation 140 | For more information on how to use the `snyk iac test` command, see the following: 141 | - [Snyk CLI for Infastructure as Code](https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code) 142 | - [Snyk Infrastructure as Code Test Command](https://docs.snyk.io/snyk-cli/commands/iac-test) 143 | -------------------------------------------------------------------------------- /iac/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Infrastructure as Code" 2 | description: "Check your Infrastructure as Code fields for issues using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | file: 14 | description: "File to test" 15 | json: 16 | description: "Output a snyk.json file with results if running the test command" 17 | default: false 18 | sarif: 19 | description: "Output a snyk.sarif file with results if running the test command" 20 | default: true 21 | runs: 22 | using: "docker" 23 | image: "docker://snyk/snyk:alpine" 24 | env: 25 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 26 | SNYK_INTEGRATION_VERSION: iac 27 | args: 28 | - snyk 29 | - iac 30 | - ${{ inputs.command }} 31 | - ${{ inputs.file }} 32 | - ${{ inputs.args }} 33 | -------------------------------------------------------------------------------- /iac/example.yml: -------------------------------------------------------------------------------- 1 | # A sample workflow which checks out your Infrastructure as Code Configuration files, 2 | # such as Kubernetes, Helm & Terraform and scans them for any security issues. 3 | # The results are then uploaded to GitHub Security Code Scanning 4 | # 5 | # For more examples, including how to limit scans to only high-severity issues 6 | # and fail PR checks, see https://github.com/snyk/actions/ 7 | 8 | name: Snyk Infrastructure as Code 9 | on: push 10 | jobs: 11 | snyk: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@v2 15 | - name: Run Snyk to check configuration files for security issues 16 | # Snyk can be used to break the build when it detects security issues. 17 | # In this case we want to upload the issues to GitHub Code Scanning 18 | continue-on-error: true 19 | uses: snyk/actions/iac@master 20 | env: 21 | # In order to use the Snyk Action you will need to have a Snyk API token. 22 | # More details in https://github.com/snyk/actions#getting-your-snyk-token 23 | # or you can signup for free at https://snyk.io/login 24 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 25 | # Scans the whole repository by default. 26 | # Alternatively, add the path to the configuration file that you would like to test. 27 | # For example `deployment.yaml` for a Kubernetes deployment manifest 28 | # or `main.tf` for a Terraform configuration file 29 | # with: 30 | # file: your-file-to-test.yaml 31 | - name: Upload result to GitHub Code Scanning 32 | uses: github/codeql-action/upload-sarif@v2 33 | with: 34 | sarif_file: snyk.sarif 35 | -------------------------------------------------------------------------------- /maven-3-jdk-11/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Maven (3-jdk-11) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Maven-3-jdk-11 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Maven using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/maven-3-jdk-11@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Maven using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/maven-3-jdk-11@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Maven using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/maven-3-jdk-11@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /maven-3-jdk-11/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Maven (3-jdk-11)" 2 | description: "Check your Maven application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:maven-3-jdk-11" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: maven-3-jdk-11 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /maven-3-jdk-17/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Maven (3-jdk-17) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Maven-3-jdk-17 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Maven using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/maven-3-jdk-17@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Maven using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/maven-3-jdk-17@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Maven using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/maven-3-jdk-17@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /maven-3-jdk-17/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Maven (3-jdk-17)" 2 | description: "Check your Maven application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:maven-3-jdk-17" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: maven-3-jdk-17 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /maven-3-jdk-20/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Maven (3-jdk-20) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Maven-3-jdk-20 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Maven using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/maven-3-jdk-20@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Maven using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/maven-3-jdk-20@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Maven using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/maven-3-jdk-20@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /maven-3-jdk-20/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Maven (3-jdk-20)" 2 | description: "Check your Maven application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:maven-3-jdk-20" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: maven-3-jdk-20 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /maven-3-jdk-21/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Maven (3-jdk-21) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Maven-3-jdk-21 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Maven using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/maven-3-jdk-21@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Maven using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/maven-3-jdk-21@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Maven using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/maven-3-jdk-21@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /maven-3-jdk-21/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Maven (3-jdk-21)" 2 | description: "Check your Maven application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:maven-3-jdk-21" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: maven-3-jdk-21 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /maven-3-jdk-22/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Maven (3-jdk-22) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Maven-3-jdk-22 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Maven using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/maven-3-jdk-22@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Maven using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/maven-3-jdk-22@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Maven using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/maven-3-jdk-22@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /maven-3-jdk-22/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Maven (3-jdk-22)" 2 | description: "Check your Maven application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:maven-3-jdk-22" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: maven-3-jdk-22 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /maven/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Maven Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Maven projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Maven using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/maven@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Maven using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/maven@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Maven using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/maven@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /maven/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Maven" 2 | description: "Check your Maven application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:maven" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: maven 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /node/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Node Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Node projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Node using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/node@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Node Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Node using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/node@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Node using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/node@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /node/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk" 2 | description: "Check your Node application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:node" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: node 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /php/README.md: -------------------------------------------------------------------------------- 1 | # Snyk PHP Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your PHP projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for PHP using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/php@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk PHP Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for PHP using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/php@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for PHP using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/php@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /php/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk PHP" 2 | description: "Check your PHP application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:php" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: php 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /python-3.10/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Python (3.10) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Python-3.10 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for Python using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/python-3.10@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for Python using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/python-3.10@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for Python using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/python-3.10@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /python-3.10/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Python (3.10)" 2 | description: "Check your Python application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:python-3.10" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: python-3.10 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /python-3.6/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Python (3.6) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Python-3.6 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for Python using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/python-3.6@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for Python using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/python-3.6@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for Python using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/python-3.6@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /python-3.6/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Python (3.6)" 2 | description: "Check your Python application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:python-3.6" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: python-3.6 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /python-3.7/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Python (3.7) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Python-3.7 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for Python using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/python-3.7@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for Python using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/python-3.7@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for Python using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/python-3.7@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /python-3.7/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Python (3.7)" 2 | description: "Check your Python application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:python-3.7" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: python-3.7 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /python-3.8/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Python (3.8) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Python-3.8 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for Python using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/python-3.8@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for Python using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/python-3.8@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for Python using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/python-3.8@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /python-3.8/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Python (3.8)" 2 | description: "Check your Python application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:python-3.8" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: python-3.8 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /python-3.9/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Python (3.9) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Python-3.9 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for Python using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/python-3.9@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for Python using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/python-3.9@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for Python using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/python-3.9@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /python-3.9/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Python (3.9)" 2 | description: "Check your Python application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:python-3.9" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: python-3.9 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /python/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Python Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Python projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. 7 | > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) 8 | > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. 9 | > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update 10 | > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry 11 | > 12 | > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. 13 | 14 | You can use the Action as follows: 15 | 16 | ```yaml 17 | name: Example workflow for Python using Snyk 18 | on: push 19 | jobs: 20 | security: 21 | runs-on: ubuntu-latest 22 | steps: 23 | - uses: actions/checkout@master 24 | - name: Run Snyk to check for vulnerabilities 25 | uses: snyk/actions/python@master 26 | env: 27 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 28 | ``` 29 | 30 | ## Properties 31 | 32 | The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 36 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 37 | | command | test | Specify which command to run, for instance test or monitor | 38 | | json | false | In addition to the stdout, save the results as snyk.json | 39 | 40 | For example, you can choose to only report on high severity vulnerabilities. 41 | 42 | ```yaml 43 | name: Example workflow for Python using Snyk 44 | on: push 45 | jobs: 46 | security: 47 | runs-on: ubuntu-latest 48 | steps: 49 | - uses: actions/checkout@master 50 | - name: Run Snyk to check for vulnerabilities 51 | uses: snyk/actions/python@master 52 | env: 53 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 54 | with: 55 | args: --severity-threshold=high 56 | ``` 57 | 58 | ## Uploading Snyk scan results to GitHub Code Scanning 59 | 60 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 61 | 62 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 63 | 64 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 65 | 66 | ```yaml 67 | name: Example workflow for Python using Snyk 68 | on: push 69 | jobs: 70 | security: 71 | runs-on: ubuntu-latest 72 | steps: 73 | - uses: actions/checkout@master 74 | - name: Run Snyk to check for vulnerabilities 75 | uses: snyk/actions/python@master 76 | continue-on-error: true # To make sure that SARIF upload gets called 77 | env: 78 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 79 | with: 80 | args: --sarif-file-output=snyk.sarif 81 | - name: Upload result to GitHub Code Scanning 82 | uses: github/codeql-action/upload-sarif@v2 83 | with: 84 | sarif_file: snyk.sarif 85 | ``` 86 | 87 | Made with 💜 by Snyk 88 | 89 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 90 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 91 | -------------------------------------------------------------------------------- /python/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Python" 2 | description: "Check your Python application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:python" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: python 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /ruby/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Ruby Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Ruby projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Ruby using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/ruby@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Ruby Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Ruby using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/ruby@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Ruby using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/ruby@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /ruby/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Ruby" 2 | description: "Check your Ruby application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:ruby" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: ruby 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /sbt1.10.0-scala3.4.2/README.md: -------------------------------------------------------------------------------- 1 | # Snyk SBT1.10.0 (Scala3.4.2) Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your SBT1.10.0-Scala3.4.2 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for SBT1.10.0 using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/sbt1.10.0-scala3.4.2@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk SBT1.10.0 Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for SBT1.10.0 using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/sbt1.10.0-scala3.4.2@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for SBT1.10.0 using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/sbt1.10.0-scala3.4.2@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /sbt1.10.0-scala3.4.2/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk SBT1.10.0 (Scala3.4.2)" 2 | description: "Check your SBT1.10.0 application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:sbt1.10.0-scala3.4.2" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: sbt1.10.0-scala3.4.2 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /scala/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Scala Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities in your Scala projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. 5 | 6 | 7 | You can use the Action as follows: 8 | 9 | ```yaml 10 | name: Example workflow for Scala using Snyk 11 | on: push 12 | jobs: 13 | security: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - uses: actions/checkout@master 17 | - name: Run Snyk to check for vulnerabilities 18 | uses: snyk/actions/scala@master 19 | env: 20 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 21 | ``` 22 | 23 | ## Properties 24 | 25 | The Snyk Scala Action has properties which are passed to the underlying image. These are passed to the action using `with`. 26 | 27 | | Property | Default | Description | 28 | | -------- | ------- | --------------------------------------------------------------------------------------------------- | 29 | | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | 30 | | command | test | Specify which command to run, for instance test or monitor | 31 | | json | false | In addition to the stdout, save the results as snyk.json | 32 | 33 | For example, you can choose to only report on high severity vulnerabilities. 34 | 35 | ```yaml 36 | name: Example workflow for Scala using Snyk 37 | on: push 38 | jobs: 39 | security: 40 | runs-on: ubuntu-latest 41 | steps: 42 | - uses: actions/checkout@master 43 | - name: Run Snyk to check for vulnerabilities 44 | uses: snyk/actions/scala@master 45 | env: 46 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 47 | with: 48 | args: --severity-threshold=high 49 | ``` 50 | 51 | ## Uploading Snyk scan results to GitHub Code Scanning 52 | 53 | Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. 54 | 55 | ![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) 56 | 57 | The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: 58 | 59 | ```yaml 60 | name: Example workflow for Scala using Snyk 61 | on: push 62 | jobs: 63 | security: 64 | runs-on: ubuntu-latest 65 | steps: 66 | - uses: actions/checkout@master 67 | - name: Run Snyk to check for vulnerabilities 68 | uses: snyk/actions/scala@master 69 | continue-on-error: true # To make sure that SARIF upload gets called 70 | env: 71 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 72 | with: 73 | args: --sarif-file-output=snyk.sarif 74 | - name: Upload result to GitHub Code Scanning 75 | uses: github/codeql-action/upload-sarif@v2 76 | with: 77 | sarif_file: snyk.sarif 78 | ``` 79 | 80 | Made with 💜 by Snyk 81 | 82 | [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' 83 | [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' 84 | -------------------------------------------------------------------------------- /scala/action.yml: -------------------------------------------------------------------------------- 1 | name: "Snyk Scala" 2 | description: "Check your Scala application for vulnerabilties using Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | command: 9 | description: "Which Snyk command to run, defaults to test" 10 | default: test 11 | args: 12 | description: "Additional arguments to pass to Snyk" 13 | json: 14 | description: "Output a snyk.json file with results if running the test command" 15 | default: false 16 | runs: 17 | using: "docker" 18 | image: "docker://snyk/snyk:scala" 19 | env: 20 | FORCE_COLOR: 2 21 | SNYK_INTEGRATION_NAME: GITHUB_ACTIONS 22 | SNYK_INTEGRATION_VERSION: scala 23 | args: 24 | - snyk 25 | - ${{ inputs.command }} 26 | - ${{ inputs.args }} 27 | -------------------------------------------------------------------------------- /setup/README.md: -------------------------------------------------------------------------------- 1 | # Snyk Setup Action 2 | 3 | A [GitHub Action](https://github.com/features/actions) for installing [Snyk](https://snyk.co/SnykGH) to check for 4 | vulnerabilities. 5 | 6 | You can use the Action as follows: 7 | 8 | ```yaml 9 | name: Snyk example 10 | on: push 11 | jobs: 12 | security: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@master 16 | - uses: snyk/actions/setup@master 17 | - uses: actions/setup-go@v1 18 | with: 19 | go-version: "1.13" 20 | - name: Snyk monitor 21 | run: snyk test 22 | env: 23 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 24 | ``` 25 | 26 | When using the Setup Action you are responsible for setting up the development environment required to run Snyk. 27 | In this case this is a Go project so `actions/setup-go` was used, but this would be specific to your project. The [language and frameworks guides](https://docs.github.com/en/actions/language-and-framework-guides) are a good starting point. 28 | 29 | The Setup Action requires `bash` and `curl` to be available and requires privileges to write to `/usr/local/bin`, it'll try to use `sudo` to gain these privileges. 30 | 31 | The Snyk Setup Action has properties which are passed to the underlying image. These are 32 | passed to the action using `with`. 33 | 34 | | Property | Default | Description | 35 | | --- | --- | --- | 36 | | snyk-version | latest | Install a specific version of Snyk | 37 | 38 | The Action also has outputs: 39 | 40 | | Property | Default | Description | 41 | | --- | --- | --- | 42 | | version | | The full version of the Snyk CLI installed | 43 | 44 | For example, you can choose to install a specific version of Snyk. The installed version can be 45 | grabbed from the output: 46 | 47 | ```yaml 48 | name: Snyk example 49 | on: push 50 | jobs: 51 | security: 52 | runs-on: ubuntu-latest 53 | steps: 54 | - uses: actions/checkout@master 55 | - uses: snyk/actions/setup@master 56 | id: snyk 57 | with: 58 | snyk-version: v1.391.0 59 | - uses: actions/setup-go@v1 60 | with: 61 | go-version: "1.13" 62 | - name: Snyk version 63 | run: echo "${{ steps.snyk.outputs.version }}" 64 | - name: Snyk monitor 65 | run: snyk monitor 66 | env: 67 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 68 | ``` 69 | -------------------------------------------------------------------------------- /setup/action.yml: -------------------------------------------------------------------------------- 1 | name: "Setup Snyk" 2 | description: "Installs a specific version of Snyk" 3 | author: "Gareth Rushgrove" 4 | branding: 5 | icon: "alert-triangle" 6 | color: "yellow" 7 | inputs: 8 | snyk-version: 9 | description: "Which Snyk version to install" 10 | default: latest 11 | os: 12 | description: "Which Operating System Snyk will run on" 13 | default: ${{ runner.os }} 14 | outputs: 15 | version: 16 | description: "The version of Snyk installed" 17 | value: ${{ steps.version.outputs.version }} 18 | runs: 19 | using: "composite" 20 | steps: 21 | - run: | 22 | echo $GITHUB_ACTION_PATH 23 | echo ${{ github.action_path }} 24 | 25 | ${{ github.action_path }}/setup_snyk.sh ${{ inputs.snyk-version }} ${{ inputs.os }} || $GITHUB_ACTION_PATH/setup_snyk.sh ${{ inputs.snyk-version }} ${{ inputs.os }} 26 | shell: bash 27 | - id: version 28 | shell: bash 29 | run: echo "version=$(snyk version)" >> $GITHUB_OUTPUT 30 | -------------------------------------------------------------------------------- /setup/setup_snyk.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e 3 | 4 | # This script takes two positional arguments. The first is the version of Snyk to install. 5 | # This can be a standard version (ie. v1.390.0) or it can be latest, in which case the 6 | # latest released version will be used. 7 | # 8 | # The second argument is the platform, in the format used by the `runner.os` context variable 9 | # in GitHub Actions. Note that this script does not currently support Windows based environments. 10 | # 11 | # As an example, the following would install the latest version of Snyk for GitHub Actions for 12 | # a Linux runner: 13 | # 14 | # ./snyk-setup.sh latest Linux 15 | # 16 | 17 | echo_with_timestamp() { 18 | echo "$(date +%Y-%m-%dT%H:%M:%SZ) $1" 19 | } 20 | 21 | die () { 22 | echo_with_timestamp >&2 "$@" 23 | exit 1 24 | } 25 | 26 | # Check if correct number of arguments is provided 27 | [ "$#" -eq 2 ] || die "Setup Snyk requires two arguments, $# provided" 28 | 29 | cd "$(mktemp -d)" 30 | echo_with_timestamp "Installing the $1 version of Snyk on $2" 31 | 32 | VERSION=$1 33 | MAIN_URL="https://downloads.snyk.io/cli" 34 | BACKUP_URL="https://static.snyk.io/cli" 35 | SUDO_CMD="sudo" 36 | GH_ACTIONS="GITHUB_ACTIONS" 37 | 38 | # Determine the prefix based on the platform 39 | case "$2" in 40 | Linux) PREFIX=linux ;; 41 | macOS) PREFIX=macos ;; 42 | Alpine) PREFIX=alpine ;; 43 | Windows) die "Windows runner not currently supported" ;; 44 | *) die "Invalid runner specified: $2" ;; 45 | esac 46 | 47 | { 48 | echo "#!/bin/bash" 49 | echo export SNYK_INTEGRATION_NAME=\"$GH_ACTIONS\" 50 | echo export SNYK_INTEGRATION_VERSION=\"setup \(${2}\)\" 51 | echo export FORCE_COLOR=2 52 | echo eval snyk-${PREFIX} \$@ 53 | } > snyk 54 | 55 | if ! command -v "$SUDO_CMD" &> /dev/null; then 56 | echo_with_timestamp "$SUDO_CMD is NOT installed. Trying without sudo, expecting privileges to write to '/usr/local/bin'." 57 | SUDO_CMD="" 58 | else 59 | echo_with_timestamp "$SUDO_CMD is installed." 60 | fi 61 | 62 | chmod +x snyk 63 | ${SUDO_CMD} mv snyk /usr/local/bin 64 | # Function to download a file with fallback to backup URL 65 | # Parameters: 66 | # $1: Download URL 67 | # $2: Output file name 68 | download_file() { 69 | echo_with_timestamp "Downloading files from $1" 70 | if curl --fail -D - --compressed --retry 2 --output "$2" "$1/$2?utm_source="$GH_ACTIONS; then 71 | echo_with_timestamp "Downloaded binary from $1/$2?utm_source=$GH_ACTIONS" 72 | else 73 | echo_with_timestamp "Failed to download binary from $1/$2?utm_source=$GH_ACTIONS" 74 | return 1 75 | fi 76 | 77 | if curl --fail -D - --compressed --retry 2 --output "$2.sha256" "$1/$2.sha256?utm_source="$GH_ACTIONS; then 78 | echo_with_timestamp "Downloaded shasum from $1/$2.sha256?utm_source=$GH_ACTIONS" 79 | else 80 | echo_with_timestamp "Failed to download shasum from $1/$2.sha256?utm_source=$GH_ACTIONS" 81 | return 1 82 | fi 83 | 84 | echo_with_timestamp "Validating shasum" 85 | if ! sha256sum -c snyk-${PREFIX}.sha256; then 86 | echo_with_timestamp "Actual: " 87 | sha256sum snyk-${PREFIX} 88 | 89 | echo_with_timestamp "Expected: " 90 | cat snyk-${PREFIX}.sha256 91 | 92 | echo_with_timestamp "Shasum validation failed" 93 | return 1 94 | fi 95 | } 96 | 97 | if ! download_file "$MAIN_URL/$VERSION" "snyk-${PREFIX}"; then 98 | echo_with_timestamp "Failed to download and validate Snyk files" 99 | 100 | echo_with_timestamp "Retrying download with secondary URL" 101 | if ! download_file "$BACKUP_URL/$VERSION" "snyk-${PREFIX}"; then 102 | die "Failed to download and validate Snyk files" 103 | fi 104 | fi 105 | 106 | 107 | # Make the binary executable 108 | chmod +x snyk-${PREFIX} 109 | 110 | echo_with_timestamp "Moving and cleaning files" 111 | # Move the binary to /usr/local/bin 112 | ${SUDO_CMD} mv snyk-${PREFIX} /usr/local/bin 113 | rm -rf snyk* 114 | 115 | echo_with_timestamp "Installed Snyk v$(snyk -v)" 116 | --------------------------------------------------------------------------------