Skip to content
/ snyk-to-sarif Public

Convert Snyk JSON CLI output to SARIF for use in GitHub Security

3 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

garethr/snyk-to-sarif

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

.github/workflows

.github/workflows

 
 

assets

assets

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

snyk-to-sarif.py

snyk-to-sarif.py

 
 

Repository files navigation

Snyk to SARIF Action

A GitHub Action for converting Snyk JSON output to SARIF, for use with GitHub Security.

A Snyk vulnerability shown in GitHub Security

Usage

You can use the Action as follows, combining it with the Snyk Actions which do the actual testing:

name: Test a Docker image with Snyk

on:
  push:
    branches: [ master ]
  workflow_dispatch:

jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout the code
      uses: actions/checkout@v2
    - name: Build the image
      env:
          DOCKER_BUILDKIT: 1
      run: docker build . -t you-image 
    - name: Run Snyk to check image for vulnerabilities
      continue-on-error: true
      uses: snyk/actions/docker@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        image: your-image
        args: --file=Dockerfile
        json: true
    - uses: garethr/snyk-to-sarif@master
    - uses: actions/upload-artifact@v2
      with:
        name: SARIF
        path: snyk.sarif
    - name: Upload the SARIF file
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: snyk.sarif

Inputs

The Snyk to SARIF Action has properties which are passed to the underlying image. These are passed to the action using with.

Property Default Description
input snyk.json Where to find the Snyk JSON file
file - Which file in the repository to associate the discovered issues with. Most of this time this will be autodetected
output snyk.sarif Where to save the resulting SARIF file

All have defaults so in many cases (like the one above) you shouldn't have to pass anything extra.

Details

Most of the above example is not specific to Snyk to SARIF. The following are the most pertinent parts:

If vulnereabilities are found we still want to upload the SARIF file, so we need to ignore errors.

continue-on-error: true

The json property on the Snyk Action means that, as well as outputing the test results to the console, Snyk will also save the JSON file of the results on the local filesystem.

json: true

The conversion is being done by the following line. This reads the snyk.json file from the previous step and outputs a snyk.sarif file.

- uses: garethr/snyk-to-sarif@master

Finally we upload the SARIF file to GitHub in order for it to present the results in the Security tab.

- name: Upload the SARIF file
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: snyk.sarif

About

Convert Snyk JSON CLI output to SARIF for use in GitHub Security

Topics

actions snyk sarif

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases

No releases published

Languages