githubgithub-actionssnyk

How to run multiple Snyk commands in a GitHub Actions workflow?


I'm setting up a GitHub Actions workflow to perform security scans on my Node.js project using Snyk. I want to run multiple Snyk commands within the same job of the workflow, but I'm not sure how to achieve this without redundant configurations.

Here is a simplified version of my existing GitHub Actions workflow:

name: Example workflow for Node using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: test
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

By default, if we don't pass any command, it will run snyk test which only checks for vulnerability on dependencies?

I couldn't find anything related on the Snyk doc.

So, how can I get the sarif file for snyk test and snyk code test?

I tried, but it didn't work. I got error: snyk: command not found

      - name: Run Snyk package test
        run: snyk test
      - name: Run Snyk code test
        run: snyk code test > snyk.sarif
      - name: Run Snyk monitor
        run: snyk monitor

Now, I am thinking to repeat the block for each command like:

      - name: Run Snyk to check for package vulnerability and
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor
      - name: Run Snyk to check for package vulnerability
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor

But, I am not sure if this is the right approach. Also, with this approach I am not able to get the sarif files combined for snyk test and snyk code test.


Solution

  • I was able to create a directory which holds the sarif files from each step, and then uploaded the directory.

    name: Snyk Scan
    on:
      pull_request:
        types: [opened, synchronize, reopened]
    jobs:
      snyk-scan:
        runs-on: ubuntu-latest
        steps:
          - name: Checkout
            uses: actions/checkout@v3
          - name: Get Node v18
            uses: actions/setup-node@v3
            with:
              node-version: 18
          - name: Install dependencies
            run: npm install
          - name: Run Snyk test
            uses: snyk/actions/node@master
            continue-on-error: true
            env:
              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
            with:
              command: test --sarif
              args: --sarif-file-output=snyk_test.sarif
          - name: Run Snyk code test
            uses: snyk/actions/node@master
            continue-on-error: true
            env:
              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
            with:
              command: code test --sarif
              args: --sarif-file-output=snyk_code_test.sarif
          - name: Run Snyk monitor
            uses: snyk/actions/node@master
            env:
              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
            with:
              command: monitor
          - name: Create SARIF directory and move SARIF files
            run: |
              mkdir sarif_files &&
              mv snyk_test.sarif snyk_code_test.sarif sarif_files/
          - name: Upload result to GitHub Code Scanning
            uses: github/codeql-action/upload-sarif@v2
            with:
              sarif_file: sarif_files
    

    Still not sure, if this is the right way though.