A GitHub Action for using Snyk to check for
vulnerabilities in your Maven projects. This Action is based on the Snyk CLI and you can use all of its options and capabilities with the args
.
You can use the Action as follows:
name: Example workflow for Maven using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using with
.
Property | Default | Description |
---|---|---|
args | Override the default arguments to the Snyk image. See Snyk CLI reference for all options | |
command | test | Specify which command to run, for instance test or monitor |
json | false | In addition to the stdout, save the results as snyk.json |
For example, you can choose to only report on high severity vulnerabilities.
name: Example workflow for Maven using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
Using --sarif-file-output
Snyk CLI flag and the official GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning.
The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a continue-on-error option like this:
name: Example workflow for Maven using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
Made with 💜 by Snyk