diff --git a/python-3.11/README.md b/python-3.11/README.md new file mode 100644 index 0000000..9c0dc71 --- /dev/null +++ b/python-3.11/README.md @@ -0,0 +1,90 @@ +# Snyk Python (3.11) Action + +A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for +vulnerabilities in your Python-3.11 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. + + > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. + > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) + > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. + > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update + > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry + > + > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. + +You can use the Action as follows: + +```yaml +name: Example workflow for Python using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.11@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +``` + +## Properties + +The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. + +| Property | Default | Description | +| -------- | ------- | --------------------------------------------------------------------------------------------------- | +| args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | +| command | test | Specify which command to run, for instance test or monitor | +| json | false | In addition to the stdout, save the results as snyk.json | + +For example, you can choose to only report on high severity vulnerabilities. + +```yaml +name: Example workflow for Python using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.11@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high +``` + +## Uploading Snyk scan results to GitHub Code Scanning + +Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. + +![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) + +The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: + +```yaml +name: Example workflow for Python using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.11@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif +``` + +Made with 💜 by Snyk + +[cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' +[cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' diff --git a/python-3.11/action.yml b/python-3.11/action.yml new file mode 100644 index 0000000..3f83974 --- /dev/null +++ b/python-3.11/action.yml @@ -0,0 +1,26 @@ +name: "Snyk Python (3.11)" +description: "Check your Python application for vulnerabilties using Snyk" +author: "Gareth Rushgrove" +branding: + icon: "alert-triangle" + color: "yellow" +inputs: + command: + description: "Which Snyk command to run, defaults to test" + default: test + args: + description: "Additional arguments to pass to Snyk" + json: + description: "Output a snyk.json file with results if running the test command" + default: false +runs: + using: "docker" + image: "docker://snyk/snyk:python-3.11" + env: + FORCE_COLOR: 2 + SNYK_INTEGRATION_NAME: GITHUB_ACTIONS + SNYK_INTEGRATION_VERSION: python-3.11 + args: + - snyk + - ${{ inputs.command }} + - ${{ inputs.args }} diff --git a/python-3.12/README.md b/python-3.12/README.md new file mode 100644 index 0000000..63ba85b --- /dev/null +++ b/python-3.12/README.md @@ -0,0 +1,90 @@ +# Snyk Python (3.12) Action + +A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for +vulnerabilities in your Python-3.12 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`. + + > Note: The examples shared below reflect how Snyk github actions can be used. Snyk requires Python to have downloaded the dependencies before running or triggering the Snyk checks. + > The Python image checks and installs deps only if the manifest files are present in the current path (from where action is being triggered) + > 1. If pip is present on the current path , and Snyk finds a requirements.txt file, then Snyk runs pip install -r requirements.txt. + > 2. If pipenv is present on the current path, and Snyk finds a Pipfile without a Pipfile.lock, then Snyk runs pipenv update + > 3. If pyproject.toml is present in the current path and Snyk does not find poetry.lock then Snyk runs pip install poetry + > + > If manifest files are present under any location other root then they MUST be installed prior to running Snyk. + +You can use the Action as follows: + +```yaml +name: Example workflow for Python using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.12@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +``` + +## Properties + +The Snyk Python Action has properties which are passed to the underlying image. These are passed to the action using `with`. + +| Property | Default | Description | +| -------- | ------- | --------------------------------------------------------------------------------------------------- | +| args | | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] | +| command | test | Specify which command to run, for instance test or monitor | +| json | false | In addition to the stdout, save the results as snyk.json | + +For example, you can choose to only report on high severity vulnerabilities. + +```yaml +name: Example workflow for Python using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.12@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high +``` + +## Uploading Snyk scan results to GitHub Code Scanning + +Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning. + +![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png) + +The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this: + +```yaml +name: Example workflow for Python using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python-3.12@master + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif +``` + +Made with 💜 by Snyk + +[cli-gh]: https://github.com/snyk/snyk 'Snyk CLI' +[cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation' diff --git a/python-3.12/action.yml b/python-3.12/action.yml new file mode 100644 index 0000000..651820b --- /dev/null +++ b/python-3.12/action.yml @@ -0,0 +1,26 @@ +name: "Snyk Python (3.12)" +description: "Check your Python application for vulnerabilties using Snyk" +author: "Gareth Rushgrove" +branding: + icon: "alert-triangle" + color: "yellow" +inputs: + command: + description: "Which Snyk command to run, defaults to test" + default: test + args: + description: "Additional arguments to pass to Snyk" + json: + description: "Output a snyk.json file with results if running the test command" + default: false +runs: + using: "docker" + image: "docker://snyk/snyk:python-3.12" + env: + FORCE_COLOR: 2 + SNYK_INTEGRATION_NAME: GITHUB_ACTIONS + SNYK_INTEGRATION_VERSION: python-3.12 + args: + - snyk + - ${{ inputs.command }} + - ${{ inputs.args }}