3

I'm setting up a GitHub Actions workflow to perform security scans on my Node.js project using Snyk. I want to run multiple Snyk commands within the same job of the workflow, but I'm not sure how to achieve this without redundant configurations.

Here is a simplified version of my existing GitHub Actions workflow:

name: Example workflow for Node using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: test
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

By default, if we don't pass any command, it will run snyk test which only checks for vulnerability on dependencies?

  • I would like to run multiple commands: snyk test, snyk code test and monitor.
  • For snyk test and snyk code test, I want the generated sarif file to be uploaded on gihtub code scan.

I couldn't find anything related on the Snyk doc.

So, how can I get the sarif file for snyk test and snyk code test?

I tried, but it didn't work. I got error: snyk: command not found

      - name: Run Snyk package test
        run: snyk test
      - name: Run Snyk code test
        run: snyk code test > snyk.sarif
      - name: Run Snyk monitor
        run: snyk monitor

Now, I am thinking to repeat the block for each command like:

      - name: Run Snyk to check for package vulnerability and
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor
      - name: Run Snyk to check for package vulnerability
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor

But, I am not sure if this is the right approach. Also, with this approach I am not able to get the sarif files combined for snyk test and snyk code test.

greybeard
  • 2,249
  • 8
  • 30
  • 66
sujeet
  • 3,480
  • 3
  • 28
  • 60

1 Answers1

1

I was able to create a directory which holds the sarif files from each step, and then uploaded the directory.

name: Snyk Scan
on:
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Get Node v18
        uses: actions/setup-node@v3
        with:
          node-version: 18
      - name: Install dependencies
        run: npm install
      - name: Run Snyk test
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: test --sarif
          args: --sarif-file-output=snyk_test.sarif
      - name: Run Snyk code test
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: code test --sarif
          args: --sarif-file-output=snyk_code_test.sarif
      - name: Run Snyk monitor
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          command: monitor
      - name: Create SARIF directory and move SARIF files
        run: |
          mkdir sarif_files &&
          mv snyk_test.sarif snyk_code_test.sarif sarif_files/
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sarif_files

Still not sure, if this is the right way though.

sujeet
  • 3,480
  • 3
  • 28
  • 60
  • 1
    what you did seems to be a right approach. Let me share with you some **templates with Github Actions** where Snyk scans are pushed to Github's sarifs if that helps https://github.com/snyk-labs/snyk-cicd-integration-examples/blob/master/GitHub/GH%20Action%20pipeline-snyk%20code%20scan-SARIF%20file.yml https://github.com/snyk-labs/snyk-cicd-integration-examples/blob/master/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml – Jonathan Gruber Jul 26 '23 at 06:13
  • Also out of curiosity: why are you integrating Snyk Code in the pipeline? At Snyk Snyk Code's native SCM integration is usually more powerful. - **PR Checks** are available (need to ask Snyk account team to open it for you) - They provide **code snippets** to go through the issues and code flow - They are **rescanned automatically every time there is a code change** so you don't need to trigger anything in a pipeline Just a thought in case you were not aware, nothing wrong with CICD of course. But **SCM integrations is usually a better workflow for Snyk Code** – Jonathan Gruber Jul 26 '23 at 06:15
  • @JonathanGruber Thanks! Could you provide me with a link for your second comment? I would like to read more. – sujeet Jul 27 '23 at 05:54
  • sure. If you are on an Enterprise plan please ask support or your account team to open the PR Check feature for you. https://docs.snyk.io/scan-application-code/run-pr-checks – Jonathan Gruber Jul 27 '23 at 15:06