A set of GitHub Action for using Snyk to check for vulnerabilities in your GitHub projects. A different action is required depending on which language or build tool you are using. We currently support:

• CocoaPods
• DotNet
• Golang
• Gradle
• Gradle-jdk11
• Gradle-jdk12
• Maven
• Maven-3-jdk-11
• Node
• PHP
• Python
• Ruby
• Scala
• Docker

Here's an example of using one of the Actions, in this case to test a Node.js project:

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Run Snyk to check for vulnerabilities
      uses: snyk/actions/node@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

If you want to send data to Snyk, and be alerted when new vulnerabilities are discovered, you can run Snyk monitor like so:

name: Example workflow using Snyk
on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Run Snyk to check for vulnerabilities
      uses: snyk/actions/node@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        command: monitor

See the individual Actions linked above for per-language instructions.

Note: GitHub Actions will not pass on secrets set in the repository to forks being used in pull requests, and so the Snyk actions that require the token will fail to run.