Skip to content

Latest commit

 

History

History

python

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

Snyk Python Action

A GitHub Action for using Snyk to check for vulnerabilities in your Python projects. This Action is based on the Snyk CLI and you can use all of its options and capabilities with the args.

Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry > > If manifest files are present under any location other root then they MUST be installed prior to running Snyk.

You can use the Action as follows:

name: Example workflow for Python using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/python@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Properties

The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using with.

Property Default Description
args Override the default arguments to the Snyk image. See Snyk CLI reference for all options
command test Specify which command to run, for instance test or monitor
json false In addition to the stdout, save the results as snyk.json

For example, you can choose to only report on high severity vulnerabilities.

name: Example workflow for Python using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/python@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

Uploading Snyk scan results to GitHub Code Scanning

Using --sarif-file-output Snyk CLI flag and the official GitHub SARIF upload action, you can upload Snyk scan results to the GitHub Code Scanning.

Snyk results as a SARIF output uploaded to GitHub Code Scanning

The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a continue-on-error option like this:

name: Example workflow for Python using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/python@master
        continue-on-error: true # To make sure that SARIF upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=snyk.sarif
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

Made with 💜 by Snyk