I'm setting up a GitHub Actions workflow to perform security scans on my Node.js project using Snyk. I want to run multiple Snyk commands within the same job of the workflow, but I'm not sure how to achieve this without redundant configurations.
Here is a simplified version of my existing GitHub Actions workflow:
name: Example workflow for Node using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
By default, if we don't pass any command
, it will run snyk test
which only checks for vulnerability on dependencies?
snyk test
, snyk code test
and monitor
.snyk test
and snyk code test
, I want the generated sarif
file to be uploaded on gihtub code scan.I couldn't find anything related on the Snyk doc.
So, how can I get the sarif
file for snyk test
and snyk code test
?
I tried, but it didn't work. I got error: snyk: command not found
- name: Run Snyk package test
run: snyk test
- name: Run Snyk code test
run: snyk code test > snyk.sarif
- name: Run Snyk monitor
run: snyk monitor
Now, I am thinking to repeat the block for each command like:
- name: Run Snyk to check for package vulnerability and
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
- name: Run Snyk to check for package vulnerability
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
But, I am not sure if this is the right approach. Also, with this approach I am not able to get the sarif
files combined for snyk test
and snyk code test
.
I was able to create a directory which holds the sarif
files from each step, and then uploaded the directory.
name: Snyk Scan
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
snyk-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Get Node v18
uses: actions/setup-node@v3
with:
node-version: 18
- name: Install dependencies
run: npm install
- name: Run Snyk test
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test --sarif
args: --sarif-file-output=snyk_test.sarif
- name: Run Snyk code test
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: code test --sarif
args: --sarif-file-output=snyk_code_test.sarif
- name: Run Snyk monitor
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
- name: Create SARIF directory and move SARIF files
run: |
mkdir sarif_files &&
mv snyk_test.sarif snyk_code_test.sarif sarif_files/
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif_files
Still not sure, if this is the right way though.