A GitHub Action for using Snyk to check for issues in your Infrastructure as Code files.
You can use the Action as follows:
name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check Kubernetes manifest file for issues
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}In order to use the Snyk Infrastructure as Code Test Action, you will need to have a Snyk API token. More details in Getting Your Snyk Token, or you can sign up for free.
The Snyk Infrastructure as Code Action has properties which are passed to the underlying image. These are
passed to the action using with:
| Property | Default | Description |
|---|---|---|
args |
Override the default arguments to the Snyk image. | |
command |
"test" |
Specify which command to run, currently only test is supported. |
file |
The paths in which to scan files with issues. | |
json |
false |
In addition to the stdout, save the results as snyk.json |
sarif |
true |
In addition to the stdout, save the results as snyk.sarif |
You can specify the paths to the configuration files and directories to target during the test.
When no path is specified, the whole repository is scanned by default:
name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check Kubernetes manifest file for issues
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
file: your/kubernetes-manifest.yaml your/terraform/directoryYou can also choose to only report on high severity vulnerabilities:
name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check Kubernetes manifest file for issues
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
file: your/kubernetes-manifest.yaml
args: --severity-threshold=highYou can share your test results to the Snyk platform:
name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check Kubernetes manifest file for issues
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --reportYou can also choose the scan mode, when scanning Terraform Plan files:
name: Example workflow for Snyk Infrastructure as Code
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check Kubernetes manifest file for issues
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --scan=resource-changesThe Infrastructure as Code Action also supports integrating with GitHub Code Scanning and can show issues in the GitHub Security tab. When run, a snyk.sarif file will be generated which can be uploaded to GitHub Code Scanning:
name: Snyk Infrastructure as Code
on: push
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/iac@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarifFor more information on how to use the snyk iac test command, see the following: