Setting Up Snyk in CI/CD Pipelines
Setting Up Snyk in CI/CD Pipelines
Integrating Snyk into CI/CD pipelines ensures continuous security validation:
# GitHub Actions integration
name: Container Security Scan
on: [push, pull_request]
jobs:
snyk:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Run Snyk to check container vulnerabilities
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: myapp:${{ github.sha }}
args: --severity-threshold=high
- name: Upload results to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: snyk.sarif
Jenkins pipeline integration:
pipeline {
agent any
environment {
SNYK_TOKEN = credentials('snyk-api-token')
}
stages {
stage('Build') {
steps {
sh 'docker build -t myapp:${BUILD_NUMBER} .'
}
}
stage('Security Scan') {
steps {
sh '''
snyk container test myapp:${BUILD_NUMBER} \
--severity-threshold=high \
--json > snyk-results.json
'''
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'snyk-results.json',
reportName: 'Snyk Security Report'
])
}
}
}
post {
always {
sh 'snyk container monitor myapp:${BUILD_NUMBER}'
}
}
}