Merge pull request #138 from snyk/feat/maven-jdk

feat: add actions for maven jdk 21 and 22

README.md

@@ -20,6 +20,8 @@ you are using. We currently support:
 - [Maven-3-jdk-11](maven-3-jdk-11)
 - [Maven-3-jdk-17](maven-3-jdk-17)
 - [Maven-3-jdk-20](maven-3-jdk-20)
+- [Maven-3-jdk-21](maven-3-jdk-21)
+- [Maven-3-jdk-22](maven-3-jdk-22)
 - [Node](node)
 - [PHP](php)
 - [Python](python)

build.rb

@@ -23,6 +23,8 @@
   "Maven-3-jdk-11",
   "Maven-3-jdk-17",
   "Maven-3-jdk-20",
+  "Maven-3-jdk-21",
+  "Maven-3-jdk-22",
   "Node",
   "PHP",
   "Python",

maven-3-jdk-21/README.md

@@ -0,0 +1,83 @@
+# Snyk Maven (3-jdk-21)  Action
+
+A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for
+vulnerabilities in your Maven-3-jdk-21 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`.
+
+
+You can use the Action as follows:
+
+```yaml
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven-3-jdk-21@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+```
+
+## Properties
+
+The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`.
+
+| Property | Default | Description                                                                                         |
+| -------- | ------- | --------------------------------------------------------------------------------------------------- |
+| args     |         | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] |
+| command  | test    | Specify which command to run, for instance test or monitor                                          |
+| json     | false   | In addition to the stdout, save the results as snyk.json                                            |
+
+For example, you can choose to only report on high severity vulnerabilities.
+
+```yaml
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven-3-jdk-21@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+```
+
+## Uploading Snyk scan results to GitHub Code Scanning
+
+Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning.
+
+![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png)
+
+The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this:
+
+```yaml
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven-3-jdk-21@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+```
+
+Made with 💜 by Snyk
+
+[cli-gh]: https://github.com/snyk/snyk 'Snyk CLI'
+[cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation'

maven-3-jdk-21/action.yml

@@ -0,0 +1,26 @@
+name: "Snyk Maven (3-jdk-21)"
+description: "Check your Maven application for vulnerabilties using Snyk"
+author: "Gareth Rushgrove"
+branding:
+  icon: "alert-triangle"
+  color: "yellow"
+inputs:
+  command:
+    description: "Which Snyk command to run, defaults to test"
+    default: test
+  args:
+    description: "Additional arguments to pass to Snyk"
+  json:
+    description: "Output a snyk.json file with results if running the test command"
+    default: false
+runs:
+  using: "docker"
+  image: "docker://snyk/snyk:maven-3-jdk-21"
+  env:
+    FORCE_COLOR: 2
+    SNYK_INTEGRATION_NAME: GITHUB_ACTIONS
+    SNYK_INTEGRATION_VERSION: maven-3-jdk-21
+  args:
+  - snyk
+  - ${{ inputs.command }}
+  - ${{ inputs.args }} 

maven-3-jdk-22/README.md

@@ -0,0 +1,83 @@
+# Snyk Maven (3-jdk-22)  Action
+
+A [GitHub Action](https://github.com/features/actions) for using [Snyk](https://snyk.co/SnykGH) to check for
+vulnerabilities in your Maven-3-jdk-22 projects. This Action is based on the [Snyk CLI][cli-gh] and you can use [all of its options and capabilities][cli-ref] with the `args`.
+
+
+You can use the Action as follows:
+
+```yaml
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven-3-jdk-22@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+```
+
+## Properties
+
+The Snyk Maven Action has properties which are passed to the underlying image. These are passed to the action using `with`.
+
+| Property | Default | Description                                                                                         |
+| -------- | ------- | --------------------------------------------------------------------------------------------------- |
+| args     |         | Override the default arguments to the Snyk image. See [Snyk CLI reference for all options][cli-ref] |
+| command  | test    | Specify which command to run, for instance test or monitor                                          |
+| json     | false   | In addition to the stdout, save the results as snyk.json                                            |
+
+For example, you can choose to only report on high severity vulnerabilities.
+
+```yaml
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven-3-jdk-22@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+```
+
+## Uploading Snyk scan results to GitHub Code Scanning
+
+Using `--sarif-file-output` [Snyk CLI flag][cli-ref] and the [official GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github), you can upload Snyk scan results to the GitHub Code Scanning.
+
+![Snyk results as a SARIF output uploaded to GitHub Code Scanning](../_templates/sarif-example.png)
+
+The Snyk Action will fail when vulnerabilities are found. This would prevent the SARIF upload action from running, so we need to introduce a [continue-on-error](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error) option like this:
+
+```yaml
+name: Example workflow for Maven using Snyk
+on: push
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven-3-jdk-22@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+```
+
+Made with 💜 by Snyk
+
+[cli-gh]: https://github.com/snyk/snyk 'Snyk CLI'
+[cli-ref]: https://docs.snyk.io/snyk-cli/cli-reference 'Snyk CLI Reference documentation'

maven-3-jdk-22/action.yml

@@ -0,0 +1,26 @@
+name: "Snyk Maven (3-jdk-22)"
+description: "Check your Maven application for vulnerabilties using Snyk"
+author: "Gareth Rushgrove"
+branding:
+  icon: "alert-triangle"
+  color: "yellow"
+inputs:
+  command:
+    description: "Which Snyk command to run, defaults to test"
+    default: test
+  args:
+    description: "Additional arguments to pass to Snyk"
+  json:
+    description: "Output a snyk.json file with results if running the test command"
+    default: false
+runs:
+  using: "docker"
+  image: "docker://snyk/snyk:maven-3-jdk-22"
+  env:
+    FORCE_COLOR: 2
+    SNYK_INTEGRATION_NAME: GITHUB_ACTIONS
+    SNYK_INTEGRATION_VERSION: maven-3-jdk-22
+  args:
+  - snyk
+  - ${{ inputs.command }}
+  - ${{ inputs.args }}