CI with Snyk using GitHub Actions

Photo by Susan Q Yin on Unsplash

CI with Snyk using GitHub Actions

·

6 min read

GitHub Actions can be used as a CI tool for building, testing and deploying our code. With the aid of Synk, it can also automate the process of checking vulnerabilities.

Introduction

Snyk is a developer security platform for securing code, dependencies, containers, and infrastructure as code.

It can be used in IDE such as IntelliJ, Visual Studio Code and so on as a tool to scan vulnerabilities in the code and librabries.

It can also be used to secure containers by finding and fixing issues in containers and continuously monitor container images.

It can also be integrated with CI/CD tool to find and fix issues in application continuously.

In this article, we will integrate Synk with GitHub Action, a CI tool from GitHub, in order to secure our application continuously.

Create Action Secrets

It is required to submit Access Tokens to Snyk and Npm Registry for authentication when performing security check and publishing respectively.

Action Secrets are environment variables that are encrypted. It is useful to store sensitive information such as access tokens. Action Secrets can be used in Action Workflow file.

GitHub Action

Generate Access Token for publishing packages to npm Registry

  1. Login npm.

  2. Click "Access Tokens" on the popup menu shown when the profile image is clicked.

    npm Access Token

  3. Click the "Generate New Token" button on the "Access Tokens" page.

    npm Access Token

  4. In the "New Access Token" page shown, select "Automation" from the "Select type" list, and click "Generate Token".

    npm Access Token

  5. A new Token should then be generated. Copy the token for later use.

    npm Access Token

Generate Auth Token for authentication to Snyk

  1. Login Snyk.

  2. Click Account Settings > API Token section.

  3. In the KEY field, click "click to show", then select and copy your token.

    Snyk Auth token

Create Action Secrets

Create Actions Secrets NPM_TOKEN and SNYK_TOKEN for access to npm repository and Snyk respectively.

  1. Login GitHub.

  2. Click the target repository.

  3. Select the "Settings" tab.

  4. On the "Settings" page, select "Secrets" on the left navigation menu. "Action secrets" page should be shown.

  5. Click the "New repository secret" button. A "New secret" page should be shown.

  6. Input "Name" and "Value" of the tokens, and then click the "Add secret" button.

    GitHub Action

NameValue
NPM_TOKEN{ Access Token for NPM }
SNYK_TOKEN{ Auth Token for Sync }

Create a GitHub Action

  1. Open the target GitHub repository in browser.

  2. Click on the Actions tab.

  3. Click the link on "set up a workflow yourself".

    GitHub Action

  4. An editor should be shown for editing the workflow file main.yml.

    Edit GitHub Action

Compose GitHub Action workflow file

A basic GitHub Action workflow file consists of 3 secions:

  • name: Action Name
  • on: How the action will be triggered.
  • jobs: Jobs to be performed when the Action is triggered.
  1. Update name section.

     name: CI Publish, with security check using Snyk
    
  2. Keep on section unchanged. By default, the action is triggered when a push or a pull request occurs.

     # Controls when the workflow will run
     on:
       # Triggers the workflow on push or pull request events but only for the main branch
       push:
         branches: [ main ]
       pull_request:
         branches: [ main ]
    
  3. Update jobs section.

    There are 3 jobs that are set up in this Action:

    i. security: Use Snyk to check for any vulnerability.

    ii. build: This job is used to build the code. In this example, we build a Node.js application with various Node versions defined in an array. This allows us to test the application running on different Node versions in a very easy approach.

    iii. publish: Publish the package to npm repository, allowing other developers to download and install the package, simple using the npm insall command.

    To set up a job that depends on other job(s) to be run successfully, needs can be used. For example, needs: [security, build] means that the job publish requires the jobs security and build to be executed successfully before it can be run. If either of the jobs fails, the publish job will not be executed.

    Edit GitHub Action - Job Dependency

    Here below list the entire workflow file:

     # A workflow run is made up of one or more jobs that can run sequentially or in parallel
     jobs:
       security:
         runs-on: ubuntu-latest
         steps:
           - uses: actions/checkout@master
           - name: Run Snyk to check for vulnerabilities
             uses: snyk/actions/node@master
             env:
               SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
             with:
               command: monitor
    
       build:
         runs-on: ubuntu-latest
         strategy:
           matrix:
           node-version: [10.x, 12.x, 14.x, 15.x]
    
         steps:
           # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
           - uses: actions/checkout@v2
           - name: Use Node.js ${{matrix.node-version }}
             uses: actions/setup-node@v2
             with:
               node-version: ${{ matrix.node-version }}
           - name: Install dependencies
             run: npm ci
           - run: npm run build --if-present
           - run: npm test
    
       publish:
         needs: [security, build]
         runs-on: ubuntu-latest
         steps:
           - uses: actions/checkout@v2
           - name: Use Node.js
             uses: actions/setup-node@v2
             with:
               node-version: '15.x'
               registry-url: 'https://registry.npmjs.org'
           - name: Install dependencies
             run: npm ci
           - name: Publish
             run: npm publish
             env:
               NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
    
  4. Commit the workflow file.

    • Click "Start Commit" button on the left.
    • Input description. It is better to input the Action Name, since it will be shown in the Action History.
    • Click "Commit changes" button.

      Commit GitHub Action workflow file

    • Once the "Commit changes" button is clicked, the Action will be triggered to execute.

Run the GitHub Action

Our GitHub Action action can be triggered when the workflow file is updated, push or pull request occurs.

  1. Once the Action is triggered, the defined jobs will be run.

    GitHub Action In Progress

  2. Once the Action is completed successfully, a green tick will be shown.

    GitHub Action Completed

  3. Upon completion, check the security job details by clicking the security link on the summary panel on the left.

    GitHub Action Completed - security job

     security:
       runs-on: ubuntu-latest
       steps:
         - uses: actions/checkout@master
         - name: Run Snyk to check for vulnerabilities
           uses: snyk/actions/node@master
           env:
             SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
           with:
            command: monitor
    

    With monitor command, the scan is performed and report is generated, but the process will not be interrupted. In other words, even if vulnerabilities are found, the job is finished successfully without error and next job will not be interfered and will then start.

    To view the report, open the link stated as "Explore this snapshot at" in the result of "Run Snyk to check for vulnerabilities" section of the security job in a browser.

    GitHub Action - Snyk Report Link

    GitHub Action - Snyk Report

    It is recommended to use the monitor command at the beginning to find the vulnerabilities during development stage. After the vulnerabilities are fixed or ignored, in production stage, we can then set to "synk test" command. This command will fail the builds when vulnerabilities are found. In this case, we can decide whether to stop or continue the build for production deployment.

  4. Check the build jobs details by clicking the build link on the summary panel on the left.

    GitHub Action Completed - build job

  5. Check the publish job details by clicking the security link on the summary panel on the left.

    GitHub Action Completed - publish job

  6. Check whether the package is published at npm repository.

    GitHub Action Completed - publish job

Conclusion

Security vulnerabilities are subject to attack and should be closely monitored. By applying security scan during CI/CD Integration, our applications can be continuously monitored against security threats.

References

  1. Source code in GitHub
  2. Published component in npm repository
  3. Publishing and installing a package with GitHub Actions
  4. Snyk CI/CD Integration: good practices