# Advanced Options: GitHub Actions ### Scan Modes By default, the action tries to autodetect everything. This can fail in more complicated setups (such as monorepos). Safety Action supports 3 scan modes, which can be mixed and matched depending on your exact project structure. #### Scanning a built Docker image Safety Action can scan into any Docker image that exists on the action runner. This is most useful when you're using GitHub workflows to build and publish Docker images as part of your pipeline. To use this mode, set `scan` to `docker`. You can also specify an image to scan using `docker-image`. This mode requires `/bin/sh` to be present in the image you're scanning, as well as the command `python -m pip list --format=freeze` to be runnable: YAML ```yaml env: IMAGE_URL: ghcr.io/example/example:${{ github.sha }} jobs: safety: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Build image run: DOCKER_BUILDKIT=1 docker buildx build -t ${{ env.IMAGE_URL }} . # Scan the built image using Safety - uses: pyupio/safety@2.3.4 with: api-key: ${{secrets.SAFETY_API_KEY}} scan: 'docker' docker-image: ${{ env.IMAGE_URL }} ``` #### Scanning the workflow environment Safety Action can scan your current workflow environment. This is most useful when you're also using `actions/setup-python` and perhaps packaging up a wheel, or running more complex builds using `setup.py`. This type of scan is also the most comprehensive and secure since it most accurately scans the real-world system that you are deploying into production. Python dependency installations are often not deterministic, and even then, the outcome can change across even slightly different versions of Python or the underlying system details. To use this mode, set the`scan` to `env`. No options are available - if `pythonLocation` has been set by `actions/setup-python`, this Python environment will automatically be scanned, otherwise the environment of the worker image (eg, `ubuntu-latest` will be scanned): YAML ```yaml jobs: safety: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - uses: actions/setup-python@v3 with: python-version: '3.10' architecture: 'x64' # Replace with the steps required to setup & install # your Python system and dependencies - run: python -m pip install requirements.txt # Scans the Python env setup by setup-python. - uses: pyupio/safety@2.3.4 with: api-key: ${{secrets.SAFETY_API_KEY}} scan: 'env' ``` Environment scans are still completely configurable using [Safety CLI: Policy file](https://docs.pyup.io/docs/safety-20-policy-file), or via GitHub Action variables. #### Scanning a requirements file Safety Action can scan a `requirements.txt` or Poetry / Pipfile lockfile in your repo. Scanning a file is not recommended unless you're using a lock file that specifies all dependencies, and are confident that no other packages are installed in the environment. To use this mode, set `scan` to `file`. You can also specify a path to the requirements file to scan using `requirements`: YAML ```yaml jobs: safety: runs-on: ubuntu-latest steps: # Scans the root poetry.lock in the repo - uses: pyupio/safety@2.3.4 with: api-key: ${{secrets.SAFETY_API_KEY}} scan: 'file' requirements: 'poetry.lock' # Scans Pipfile.lock under services/microservice-example. Useful for monorepo setups. - uses: pyupio/safety@2.3.4 with: api-key: 'your-pyup-api-key-here' scan: 'file' requirements: 'services/microservice-example/Pipfile.lock' ``` ### Running without failing the pipeline It's possible to run the Safety action, without failing the pipeline if a vulnerability is found, but checking this status in a next step: YAML ```yaml jobs: insecure-test: runs-on: ubuntu-latest steps: - uses: pyupio/safety@2.3.4 id: scan-1 continue-on-error: true with: api-key: ${{secrets.SAFETY_API_KEY}} - if: steps.scan-1.outcome != 'failure' run: echo 'Safety failed to run, but the next step in the pipeline continued.' && exit 1 ``` ### Action options | Option | Default | Required? | Description | | ------------------- | ----------------------------------------------------------------------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------- | | `api-key` | N/A | Yes | Your PyUp API key | | `scan` | `auto` | No | Scan mode to use. One of `auto` / `docker` / `env` / `file` | | `docker-image` | Autodetects the last built, tagged image on the runner | No | Tag or hash of the Docker Image to scan. | | `requirements` | `poetry.lock` followed by`Pipfile.lock` followed by `requirements.txt` (first match wins) | No | Path of requirements file to scan | | `continue-on-error` | No | No | By default, Safety will exit with a non-zero exit code if it detects any vulnerabilities. Set this to non-empty value to not error out. | | `output-format` | 'screen' | No | Output format for returned data. One of `screen` / `text` / `json` / `bare` | | `args` | '' | No | Any additional CLI arguments to pass to `safety` |