Skip to content

Latest commit

 

History

History
83 lines (67 loc) · 3.25 KB

README.md

File metadata and controls

83 lines (67 loc) · 3.25 KB

Snyk Maven Action

A GitHub Action for using Snyk to check for vulnerabilities in your Maven projects. This Action is based on the Snyk CLI and you can use all of its options and capabilities with the args.

You can use the Action as follows:

name: Example workflow for Maven using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/maven@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Properties

The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using with.

Property Default Description
args Override the default arguments to the Snyk image. See Snyk CLI reference for all options
command test Specify which command to run, for instance test or monitor
json false In addition to the stdout, save the results as snyk.json

For example, you can choose to only report on high severity vulnerabilities.

name: Example workflow for Maven using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/maven@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Uploading Snyk scan results to GitHub Code Scanning

Using --sarif-file-output Snyk CLI flag and the official GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning.

Snyk results as a SARIF output uploaded to GitHub Code Scanning

The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a continue-on-error option like this:

name: Example workflow for Maven using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/maven@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

Made with 💜 by Snyk