We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Snyk and Secure Code Warrior
Cloud Native Security

Snyk and Secure Code Warrior: adding more context to GitHub code scanning alerts

Gareth RushgroveOctober 8, 2020

Yesterday we announced full support in Snyk Container and Snyk Infrastructure as Code for GitHub code scanning. Now you can easily show vulnerability information from Snyk natively in GitHub’s Security tab. 

Vulnerability information from Snyk GitHub’s Security tab

While Snyk provides lots of details for each of the vulnerabilities we discover, and references to published advisories and associated CWEs, not everyone is a security expert. What is an Out-of-bounds Write? What are the risks around a NULL Pointer Dereference?

Context and Secure Code Warrior

The more context developers have for the vulnerabilities, the more they’re able to understand the risks, prioritize fixing the most pressing issues, and ultimately preventing them in the first place. That’s where Secure Code Warrior® comes in. Their mission is to empower developers to write secure code from the very beginning through fun, engaging, and framework-specific training, helping them think and code with a security mindset to achieve rapid improvements in security compliance, consistency, quality, and development speed.

Pairing integrations from Snyk and Secure Code Warrior with GitHub code scanning is a powerful combination that gives developers security information and education that is both insightful and actionable.

John Leon, VP of Business Development, GitHub

We’re all about empowering developers with the skills and knowledge to prevent vulnerabilities in the first place. Our new GitHub Action adds secure code training to industry-standard SARIF files within your GitHub workflow – delivering developer-centric contextual learning when they need it most, ultimately making it easier for developers to release quality code faster.

Matias Madou, CTO, Secure Code Warrior

Secure Code Warrior® has built a GitHub Action that brings contextual learning to GitHub code scanning. This means you can use the Snyk Container Action to find vulnerabilities, and then augment the output with hyper-relevant learning from Secure Code Warrior. When combined, not only does Snyk show the details about the vulnerability, but then Secure Code Warrior helps to build a developer’s secure coding knowledge and skills. 

Snyk show the details about the vulnerability and the Secure Code Warrior helps to build a developer's secure coding knowledge

You can watch a short video to better understand the vulnerability or try a hands-on coding challenge to better identify, locate, and fix vulnerabilities in your own code. 

How to add Secure Code Warrior information with GitHub Actions

Adding this extra information is as simple as adding another Action to your workflow. Building a container image and scanning it for vulnerabilities with Snyk looks like:

name: Snyk Container and GitHub Security example
on: push
jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build an image
      run: docker build . -t some-image       
    - name: Run Snyk to check image for vulnerabilities
      continue-on-error: true
      uses: snyk/actions/docker@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        image: some-image
        args: --file=Dockerfile  

Snyk will by default create a SARIF file called snyk.sarif containing the vulnerability information. The Secure Code Warrior Action reads that file and adds additional contextual information.

- name: Secure Code Warrior
  uses: SecureCodeWarrior/github-action-add-sarif-contextual-training@v1
  with:
    inputSarifFile: snyk.sarif
    outputSarifFile: snyk+securecodewarrior.sarif

Finally, we upload the combined file to GitHub Code Scanning: 

- name: Upload the SARIF file to GitHub Code Scanning
  uses: github/codeql-action/upload-sarif@v1
  with:
    sarif_file: snyk+securecodewarrior.sarif

Now, when this workflow runs, what’s pushed into GitHub code scanning not only contains the vulnerability information from Snyk, but also contextual learning from Secure Code Warrior.

Next steps

Successfully shifting security left, and involving development teams in addressing security challenges, need a focus on developer-friendly tools as well as educating developers. By using Snyk and Secure Code Warrior together you can do both, and by providing that education in context, at the heart of the development process, around a specific vulnerability discovered in your application, it’s even more relevant.

You can try out the GitHub Actions for both Secure Code Warrior and Snyk for free today.

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom