-
Notifications
You must be signed in to change notification settings - Fork 186
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3e2680e
commit 945524a
Showing
4 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,6 +33,7 @@ | |
| "Python-3.10", | ||
| "Ruby", | ||
| "Scala", | ||
| "Swift", | ||
| ] | ||
|
|
||
| templatename = File.join("_templates", "BASE.md.erb") | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| # Snyk Swift Action | ||
|
|
||
| A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for | ||
| vulnerabilities in your Swift projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. | ||
|
|
||
|
|
||
| You can use the Action as follows: | ||
|
|
||
| ```yaml | ||
| name: Example workflow for Swift using Snyk | ||
| on: push | ||
| jobs: | ||
| security: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@master | ||
| - name: Run Snyk to check for vulnerabilities | ||
| uses: snyk/actions/swift@master | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| ``` | ||
| ## Properties | ||
| The Snyk Swift Action has properties which are passed to the underlying image. These are passed to the action using `with`. | ||
|
|
||
| | Property | Default | Description | | ||
| | -------- | ------- | --------------------------------------------------------------------------------------------------- | | ||
| | args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | | ||
| | command | test | Specify which command to run, for instance test or monitor | | ||
| | json | false | In addition to the stdout, save the results as snyk.json | | ||
|
|
||
| For example, you can choose to only report on high severity vulnerabilities. | ||
|
|
||
| ```yaml | ||
| name: Example workflow for Swift using Snyk | ||
| on: push | ||
| jobs: | ||
| security: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@master | ||
| - name: Run Snyk to check for vulnerabilities | ||
| uses: snyk/actions/swift@master | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| args: --severity-threshold=high | ||
| ``` | ||
|
|
||
| ## Uploading Snyk scan results to GitHub Code Scanning | ||
|
|
||
| Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. | ||
|
|
||
|  | ||
|
|
||
| The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: | ||
|
|
||
| ```yaml | ||
| name: Example workflow for Swift using Snyk | ||
| on: push | ||
| jobs: | ||
| security: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@master | ||
| - name: Run Snyk to check for vulnerabilities | ||
| uses: snyk/actions/swift@master | ||
| continue-on-error: true # To make sure that SARIF upload gets called | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| args: --sarif-file-output=snyk.sarif | ||
| - name: Upload result to GitHub Code Scanning | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: snyk.sarif | ||
| ``` | ||
|
|
||
| Made with 💜 by Snyk | ||
|
|
||
| [cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' | ||
| [cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| name: "Snyk Swift" | ||
| description: "Check your Swift application for vulnerabilties using Snyk" | ||
| author: "Gareth Rushgrove" | ||
| branding: | ||
| icon: "alert-triangle" | ||
| color: "yellow" | ||
| inputs: | ||
| command: | ||
| description: "Which Snyk command to run, defaults to test" | ||
| default: test | ||
| args: | ||
| description: "Additional arguments to pass to Snyk" | ||
| json: | ||
| description: "Output a snyk.json file with results if running the test command" | ||
| default: false | ||
| runs: | ||
| using: "docker" | ||
| image: "docker://snyk/snyk:swift" | ||
| env: | ||
| FORCE_COLOR: 2 | ||
| SNYK_INTEGRATION_NAME: GITHUB_ACTIONS | ||
| SNYK_INTEGRATION_VERSION: swift | ||
| args: | ||
| - snyk | ||
| - ${{ inputs.command }} | ||
| - ${{ inputs.args }} |