Support Integrations Snyk Snyk By following this guide, you integrate Snyk’s vulnerability scanning with SecDim’s interactive training, providing developers with immediate, context-sensitive resources to address security issues effectively. Set Up Snyk in Your Repository Ensure that Snyk is configured in your repository. If it’s not already set up, you can add the Snyk GitHub Action to your workflow to scan for vulnerabilities. Generate SARIF Output Using Snyk Snyk can output its findings directly in SARIF format. To do this within a GitHub Actions workflow, add the following step: - name: Run Snyk to check for vulnerabilities uses: snyk/actions/cli@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --sarif-file-output=snyk.sarif This command runs Snyk and saves the results in a file named snyk.sarif. Upload the SARIF File to GitHub To visualize the Snyk scan results within GitHub’s Security tab, upload the SARIF file using the following step: - name: Upload Snyk SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: snyk.sarif This step ensures that GitHub processes the SARIF file and displays the findings appropriately. Integrate SecDim for In-Context Training SecDim offers a GitHub Action that parses SARIF files and enriches them with links to interactive secure code training environments. Add the following step to your workflow: - name: Run SecDim Sandbox Action uses: secdim/sandbox-action@v1.0.1 with: input_sarif_file: snyk.sarif output_sarif_file: snyk.enriched.sarif This action takes the original snyk.sarif file, processes it to include links to relevant SecDim Sandboxes, and outputs the enriched SARIF file as snyk.enriched.sarif. Upload the Enriched SARIF File To ensure that the enriched SARIF file, now containing in-context training links, is uploaded to GitHub, add the following step: - name: Upload Enriched SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: snyk.enriched.sarif This final step uploads the enriched SARIF file, allowing developers to access interactive training directly from the identified issues within GitHub’s Security tab. Complete GitHub Actions Workflow Example name: In-Context SecDim Training Integration on: push: branches: [main] pull_request: branches: [main] jobs: security: runs-on: ubuntu-latest permissions: security-events: write steps: - name: Checkout repository uses: actions/checkout@v2 - name: Run Snyk to check for vulnerabilities uses: snyk/actions/cli@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --sarif-file-output=snyk.sarif - name: Upload Snyk SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: snyk.sarif - name: Run SecDim Sandbox Action uses: secdim/sandbox-action@v1.0.1 with: input_sarif_file: snyk.sarif output_sarif_file: snyk.enriched.sarif - name: Upload Enriched SARIF results uses: github/codeql-action/upload-sarif@v1 with: sarif_file: snyk.enriched.sarif Ensure that your repository’s secrets include the SNYK_TOKEN for authentication.