Snyk is a great tool for vulnerability scanning, it’s included in Docker Desktops docker scan feature (10 “free” scans, then requires registration) and has it’s own CLI tools for code and container scanning. It is, also, available as a pipeline action. Here is how to use it with GITHub actions.
First, Create a secret on your GITHub project:
Settings > Secrets > Actions
Name it SNYK_TOKEN
It can also be created with GitHUB CLI:
~$ gh secret set SNYK_TOKENYour SNYK_TOKEN is your AUTH TOKEN found in the Snyk User Dashboard.
Second, create a GitHUB actions file under .github/snyk.yml in your repo.
name: Snyk Container Scanning
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
snyk:
name: Build and Scan
runs-on: ubuntu-latest
steps:
- name: Checkout Source Code
uses: actions/checkout@v3
- name: Build Docker Image
run: docker build -t project:sec .
- name: Run Snyk to check image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: project:sec
args: --file=Dockerfile
- name: Report To GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarifThis will, on push to/merge with main, build a new Docker image from your repo and scan it with Snyk. It will also report any found issues to GITHub Code Scanning, under the repos “Security” tab.
That’s a good scan, woof 👾