HOME
GitHub Project
May 25, 2023
Syncing Snyk with GitHub SCM using the Snyk API
Introduction

In today's software development landscape, security is of paramount importance. Integrating security scanning tools into your development workflow can help identify vulnerabilities and ensure the safety of your codebase. Snyk is one such powerful security platform that helps developers find, fix, and monitor vulnerabilities in their open-source libraries and container images. In this blog post, we will explore how to sync Snyk with GitHub SCM using the Snyk API.

Prerequisites

Before we dive into the integration process, make sure you have the following requirements fulfilled:

  • A GitHub account with access to the repository you want to sync with Snyk.
  • A Snyk account with the appropriate access privileges.
  • A GitHub personal access token (PAT) with the necessary permissions to access the repository. You can create a PAT by following the official GitHub documentation.
  • A Snyk API token, which you can generate from the Snyk dashboard.
Integration Steps

To integrate Snyk with GitHub SCM, we will use a GitHub Actions workflow that runs on a schedule. The workflow will perform the following tasks:

Step 1: Setting up the workflow file

Create a new file called .github/workflows/snyk-sync.yml in your repository and paste the following code: 

        
            on:
              schedule:
                - cron: '0 0 * * *'
            
            jobs:
              snyk-import:
                runs-on: ubuntu-latest
                env:
                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
                  SNYK_LOG_PATH: "."
                steps:
                  - name: Checkout code
                    uses: actions/checkout@v2
                  - name: Install dependencies
                    uses: actions/setup-node@v2
                    with:
                      node-version: '14.x'
                  - name: Install dependencies
                    run: npm install
                  - name: Install snyk-import 
                    run: npm install snyk-api-import@latest -g
                  - name: Create import data for snyk
                    run: DEBUG=*snyk* snyk-api-import import:data --orgsData=${{ github.workspace }}/snyk-orgs.json --source=github
                  - name: Import data to snyk
                    run: DEBUG=*snyk* snyk-api-import import --file=${{ github.workspace }}/github-import-targets.json

Step 2: Understanding the workflow steps

Let's break down the different steps in the workflow:

  • The on section defines the schedule for the workflow. In this example, the workflow will run daily at midnight (00:00) UTC.
  • The snyk-import job runs on an Ubuntu environment using the latest version of Ubuntu.
  • The env section sets up the environment variables required for the workflow:
    • GITHUB_TOKEN holds the GitHub personal access token.
    • SNYK_TOKEN holds the Snyk API token.
    • SNYK_LOG_PATH specifies the path where Snyk logs will be stored. In this example, logs will be stored in the root directory (".").
  • The workflow then proceeds with the following steps:
    • Checking out the repository code using actions/checkout@v2.
    • Setting up the Node.js environment using actions/setup-node@v2.
    • Installing project dependencies with npm install.
    • Installing the snyk-api-import package globally using npm install snyk-api-import@latest -g.
    • Creating import data for Snyk by executing snyk-api-import import:data. This step generates a file called snyk-orgs.json in the repository's workspace.
    • Importing the data to Snyk by executing snyk-api-import import. This step uses the github-import-targets.json file generated in the repository's workspace.

Step 3: Configuring Snyk and GitHub integration

To ensure successful synchronization between Snyk and GitHub, you need to provide the necessary data in the snyk-orgs.json and github-import-targets.json files. Modify these files according to your requirements. For more information on configuring these files, refer to the Snyk API documentation.

Step 4: Setting up secrets

To avoid exposing sensitive data, we utilize GitHub Secrets to store the GitHub and Snyk tokens securely. To add secrets to your repository:

  • Go to your repository's page on GitHub.
  • Under the repository name, click on "Settings."
  • In the left sidebar, click on "Secrets."
  • Click on "New repository secret."
  • Enter GITHUB_TOKEN as the name and paste your GitHub personal access token in the "Value" field.
  • Click on "Add secret" to save the token.
  • Repeat the above steps to add SNYK_TOKEN as the name and paste your Snyk API token as the value.
Conclusion

By following the steps outlined in this blog post, you can easily sync Snyk with your GitHub SCM using the Snyk API. This integration enables you to regularly import and update data from your GitHub repository into Snyk, allowing you to identify and address security vulnerabilities in your codebase. Incorporating security practices into your development workflow is crucial, and with Snyk and GitHub working together, you can enhance the security of your software projects and ensure a safer environment for your users.

Find the project - https://github.com/souro1212/import-snyk-projects