Github action for reporting a vulnerability. Use it with a scheduled Github actions workflow.
Inputs:
report-file- Name of the file with a reported created by Snyk.timestamp- The timestamp of the Snyk run. All Snyk runs with the same timestamp will be treated as a single search i.e. only vulnerabilities not detected across all runs with the same timestamp will be removed.category- Optional 'Snyk-category' label added to the Issue.
Environment variables:
TOKEN- Environment variable containing the value ofGITHUB_TOKENsecret.
The following workflow runs a scheduled check every Monday at 02:00.
First it runs a check using Snyk with your token generated at Snyk web-site.
If Snyk finds an issue, it throws an error in stderr and creates a report file.
If Snyk step fails (there is an issues found) then the last step runs and reports it if that issue was not already reported.
name: Workflow for Maven using Snyk
on:
schedule:
- cron: '0 2 * * 1'
jobs:
security:
runs-on: ubuntu-latest
env:
REPORT_FILE: test.json
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/maven-3-jdk-11@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: test
args: --json-file-output=${{ env.REPORT_FILE }}
- name: Report new vulnerabilities
uses: thehyve/report-vulnerability@master
with:
report-file: ${{ env.REPORT_FILE }}
timestamp: 2025-01-01T00:00:00Z
category: 'radarbase/radar-home:latest
env:
TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: ${{ failure() }}