A GitHub Action for using Snyk to check for
vulnerabilities in your Python-3.7 projects. This Action is based on the Snyk CLI and you can use all of its options and capabilities with the args.
Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry > > If manifest files are present under any location other root then they MUST be installed prior to running Snyk.
You can use the Action as follows:
name: Example workflow for Python using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/python-3.7@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using with.
| Property | Default | Description |
|---|---|---|
| args | Override the default arguments to the Snyk image. See Snyk CLI reference for all options | |
| command | test | Specify which command to run, for instance test or monitor |
| json | false | In addition to the stdout, save the results as snyk.json |
For example, you can choose to only report on high severity vulnerabilities.
name: Example workflow for Python using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/python-3.7@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=highUsing --sarif-file-output Snyk CLI flag and the official GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning.
The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a continue-on-error option like this:
name: Example workflow for Python using Snyk
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/python-3.7@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarifMade with 💜 by Snyk