Skip to main content

Showing Snyk security information in GitHub code scanning

Written by:

October 7, 2020

0 mins read

Lots of Snyk users use GitHubfor hosting their source code. Generally, that means looking in one place (GitHub) for source code, and another (Snyk) for information about vulnerabilities. Snyk has always looked to push security information to where developers are, for instance with local tools (like our CLI and IDE plugins) and with our GitHub pull requests and status checks.

With the launch of GitHub code scanning, we’re happy to be able to further embed security information (Snyk) in the native developer workflow, with updates to our GitHub Actions to support code scanning.

GitHub code scanning

Code scanning adds a new feature to the Security tab in GitHub and is available to all GitHub users as of today. With code scanning, you can hook up all of your security tools in one place and see all the vulnerabilities and security issues related to your repositories.

Code scanning surfaces security issues in your repositories before they reach production. This could be application source code, assets, configuration files, etc.

wordpress-sync/blog-snyk-container-vulnerabilities-code-scan
Snyk Container vulnerabilities in GitHub Code scanning

Snyk Container and Snyk Infrastructure as Code

Today both Snyk Container (for scanning container images) and Snyk Infrastructure as Code(for detecting misconfigurations in Kubernetes configuration files and Terraform code) support GitHub code scanning, using our existing Snyk GitHub Actions.

Here’s an example using the Snyk Action to test a Docker image for vulnerabilities, and then uploading a SARIF file to code scanning. SARIF is an open standard from OASIS used by code scanning as the interchange format for security issues.

name: Snyk Container and GitHub Security example
on: push
jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build an image
      run: docker build . -t some-image       
    - name: Run Snyk to check image for vulnerabilities
      continue-on-error: true
      uses: snyk/actions/docker@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        image: some-image
        args: --file=Dockerfile
    - uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: snyk.sarif

So, with just the three extra lines in our workflow to use the upload-sarif action we can take data from Snyk and upload it to GitHub.

Snyk’s new Infrastructure as Code product also works with GitHub code scanning. Here we can detect misconfigurations in your Kubernetes JSON and YAML files or Terraform code and surface those issues directly in GitHub. The following workflow presents a simple example:

name: Snyk Infrastructure as Code and GitHub Security example
on: push
jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Run Snyk to check Kubernetes manifest file for issues
      continue-on-error: true
      uses: snyk/actions/iac@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        file: your/kubernetes-manifest.yaml
    - uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: snyk.sarif

With the above workflow up and running we’ll see security misconfigurations from Snyk appearing in GitHub.

wordpress-sync/blog-snyk-iac-report-example
Details about an issue that was found by Snyk Infrastructure as Code

Here you can see details about the issue as well as the context of the line that has the problem and the commit that introduced it.

The Snyk Infrastructure as Code Action currently supports Kubernetes configuration files only, but we’ll be launching support for Terraform soon, and other configuration formats later.

Next steps

Please try out the Snyk GitHub Actions and new GitHub code scanning support and let us know what you think. We have some great ideas already about improving the Actions and expanding the GitHub code scanning support to all of Snyk’s functionality. Watch this space for even more features than embed security in the heart of the developer workflow.