Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
snyk

GitHub Action

Snyk

0.2.0

Snyk

snyk

Snyk

Check your applications for vulnerabilties using Snyk

Installation

Copy and paste the following snippet into your .yml file.

              
- name: Snyk

              
  uses: snyk/[email protected]
Learn more about this action in snyk/actions

Choose a version

Snyk GitHub Actions

A set of GitHub Action for using Snyk to check for vulnerabilities in your GitHub projects. A different action is required depending on which language or build tool you are using. We currently support:

Here's an example of using one of the Actions, in this case to test a Node.js project:

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Run Snyk to check for vulnerabilities
      uses: snyk/actions/node@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

If you want to send data to Snyk, and be alerted when new vulnerabilities are discovered, you can run Snyk monitor like so:

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Run Snyk to check for vulnerabilities
      uses: snyk/actions/node@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        command: monitor

See the individual Actions linked above for per-language instructions.

Note: GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk actions that require the token will fail to run.

Getting your Snyk token

The Actions example above refer to a Snyk API token:

env:
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Every Snyk account has this token, and you can find it in one of two ways:

  1. If you're using the Snyk CLI you can retrieve it by running snyk config get api.
  2. In the UI, go to your account's general settings page (https://app.snyk.io/account) and retrieve the API token, as shown in the following Revoking and regenerating Snyk API tokens.

Note: The above examples will halt the action when issues are found. If you want to ensure the action continues, even if Snyk finds issues, then [conmtinue-on-error]https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error will need to be set.

name: Example workflow using Snyk with continue on error
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Run Snyk to check for vulnerabilities
      uses: snyk/actions/node@master
      continue-on-error: true
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        command: monitor