In this section, we introduce a Security Gate using the Snyk GitHub Actions. The Snyk Action can fail GitHub checks, alerting you when Repo activity introduces risks, helping you catch issues early.
To use the Snyk Action, we need to create a Snyk API Token and store it as a GitHub Secret.
You can find your API Token one of two ways:
If you have the Snyk CLI, retrieve it by running
snyk config get api
In the Snyk UI, head to your account Settings Page and retrieve it.
Store the Token in the Forked Repo's secrets by navigating to Settings -> Secrets -> New Repository Secret. Name the Secret
Continue to Step 2 once your Snyk Token is saved.
Time to add a Snyk Security Gate to our workflow! The necessary files have already been created for you in the
Switch to the
oss-actions branch, and navigate to the
.github/workflows folder to see
snyk-gate.yml. Note the following:
Since this is designed to "stop the bleeding" of new vulnerabilities being introduced into
PROD, this workflow only runs if a PR is opened against
--fail-on arguments on the Snyk Action tell Snyk to only fail if any
high severity risks that are
upgradable (a fix is available) are present.
We'll create a Pull Request to add
snyk-gate.yml to the
develop branch. To open a Pull Request, first navigate to Pull Requests -> New Pull Request.
In the Comparing Changes window, select the
develop branch from your forked repo as the base repository, and the
oss-actions as the head repository, then open the PR.
You should see that this PR adds the
snyk-gate.yml file to the
After input a name, description, and click Create Pull Request you'll be asked to Merge Pull Request.
To test this, open a New Pull Request. This time, set
PROD as the Base, and
develop as the Head.
In the Pull Request details, the Snyk Security Gate fails as expected because
develop still contains the High Severity Vulnerabilities identified earlier.
You'll also notice two Snyk checks,
security/snyk. These are making sure no new security or license issues are introduced. These incremental checks pass because we haven't introduced any risks that weren't already present.
You now have a Snyk Security Gate! While you can merge at your discretion, Snyk fails this check to alert that there are unresolved, Fixable, High Severity risks. Leave the Pull Request open for now; in the next section, we'll secure our
develop branch, clear this gate, and secure the PROD-ready version of our code!