From f9921813f78ab52accacf4b40851a1518be650f0 Mon Sep 17 00:00:00 2001 From: Sebastian Roth <97243337+sebsnyk@users.noreply.github.com> Date: Tue, 2 Apr 2024 14:31:34 +0100 Subject: [PATCH] Add SNYK_API documentation (#82) --- GitHub/README.md | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/GitHub/README.md b/GitHub/README.md index 53f4b40..6e418b8 100644 --- a/GitHub/README.md +++ b/GitHub/README.md @@ -4,7 +4,7 @@ Using Snyk Effectively on Github ## Using Snyk Actions All of these workflow use [Snyk Actions](https://github.com/snyk/actions) to execute the desired use cases. -In order to use the Snyk Action, you will need to have a Snyk API token. You can sign up for a [free account](www.snyk.io/login) and save your [API token](https://github.com/snyk/actions#getting-your-snyk-token) as a secret in your Github repository. +In order to use the Snyk Action, you will need to have a Snyk API token. You can sign up for a [free account](www.snyk.io/login) and save your [API token](https://github.com/snyk/actions#getting-your-snyk-token) as a [secret](https://docs.github.com/en/actions/security-guides/encrypted-secrets) in your Github repository. ### Inline display of SARIF data Github supports the inline display of scan results. @@ -18,9 +18,10 @@ On an issue-card you can immediately review the issue: See [GH-actions-pipeline-npm-nodejs-sarif.yml](GH-actions-pipeline-npm-nodejs-sarif.yml) for instructions how to get this output and build-workflow. ### Open Source Delta Check + This workflow lets you block pipelines only if new vulnerabilities are introduced. It uses the [Snyk Delta](https://github.com/snyk-tech-services/snyk-delta) tool to do the comparison with an already existing monitored projects to show results. -```bash +```yaml jobs: security: runs-on: ubuntu-latest @@ -41,9 +42,10 @@ jobs: ``` ### Code Scanning Alerts for Snyk Code (SAST) + This workflow tests your application for SAST vulnerabities and then presents them in the Secuirty tab of Github. It provides in-line details of where the vulnerability is found and provides details and guidance to fix it. -```bash +```yaml jobs: snyk: runs-on: ubuntu-latest @@ -61,11 +63,11 @@ jobs: sarif_file: snyk_sarif ``` - ### Container Monitor Results + This workflow lets you inspect your image for vulnerabilities, and creates a project on your Snyk Account with the available base image remediation recommendations. -```bash +```yaml jobs: security: runs-on: ubuntu-latest @@ -83,9 +85,11 @@ jobs: ``` ### Code Scanning IaC Results + This workflow tests your infrastructure as code files for misconfigurations and populates them in the Secuirty Tab of Github. It requires the path to the configuration file that you would like to test. For example `deployment.yaml` for a Kubernetes deployment manifest or `main.tf` for a Terraform configuration file. -```name: Snyk Infrastructure as Code Check +```yaml +name: Snyk Infrastructure as Code Check jobs: snyk: runs-on: ubuntu-latest @@ -104,3 +108,22 @@ jobs: sarif_file: snyk.sarif name: Infrastructure as Code Snyk Results ``` + +### Connect to different Snyk data centers + +If your data residency is different to the standard US instance of Snyk, then `SNYK_API` can be used. +Make sure to configure this variable according to the [documentation](https://docs.snyk.io/more-info/data-residency-at-snyk#cli-and-ci-pipelines-urls) within the [secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) of the repository. + +```yaml +name: Snyk Open Source Scan (.NET) +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/dotnet@master + env: + SNYK_API: ${{ secrets.SNYK_API }} + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +``` \ No newline at end of file