---> 
Your repo on GitHub can contain badges reflecting Snyk scan results. The scan can occur on the built package on NPM, PyPi, or other platforms; or it can scan the code on GitHub directly. This repo contains some vulnerabilities deliberately. It contains:
- Vulnerable
app.pyfor SAST / code scanning demonstration - Manifest file
requirements.txtcontaining outdated (vulnerable) versions of packages - Terraform files to demonstrate Snyk IaC scanning
Try clicking on the badge at the top of this README to see the full scan results for this demo codebase.
Open source projects can join Snyk's Secure Developer Program to obtain access to Enterprise security features for free. One of the few requirements for joining the program is to include a reference to Snyk in your project's README. The badges shown off in this demo repo are all valid ways of doing that. You can also/alternatively use the PNG badges at the bottom of this demo README.
- Navigate to https://snyk.io and click "Sign up" (it will be free)
- Choose GitHub OAuth for easier integration
- Authorize Snyk to access your GitHub account
- In Snyk dashboard, go to
Integrations → Source Control → GitHub Snyk
- Click "Add your GitHub repositories to Snyk". You may need to grant Snyk some additional permissions:
- Select the repositories you want to monitor (you can search for them by name)
-
Wait for initial vulnerability scan to complete (usually 1-2 minutes)
-
If your repo does not have any code yet, now would be a good time to add some. This repo contains some deliberately vulnerable code in
app.py.
-
If you do not have a manifest file, you'll want to configure one appropriate for your project. A manifest file is just a file from your language that is standard for indicating your dependencies. If you want Open Source dependency scanning, you’ll need at least one of the supported manifests:
.png){kind=link}
Python → requirements.txt, Pipfile, or pyproject.toml
Node.js → package.json
Java → pom.xml or build.gradle
This repository contains a requirements.txt file with some deliberately outdated dependencies to show off vulnerability scanning.
- The natural next step would be to set up GitHub Actions with Snyk. You can explore some options for this here. But for now, you've done enough to create your badge(s).
For a scan that is configured to scan your code on an open source GitHub repo directly:
Basic GitHub badge:
[](https://snyk.io/test/github/{username}/{repo})
In our case:
[](https://snyk.io/test/github/snyk-labs/secure-developer-sample-repo)
Which comes out looking like this:
Or for specific branch:
[](https://snyk.io/test/github/{username}/{repo}/{branch})
Targeting a specific manifest file (if you have a monorepo with multiple requirements.txt files, for example):
[](https://snyk.io/test/github/{username}/{repo}?targetFile=package.json)
Using custom styling:
[](https://snyk.io/test/github/{username}/{repo})
An example combining these parameters:
[](https://snyk.io/test/github/{username}/{repo}?targetFile=package.json)
For a scan that is configured to scan your code on NPM:
Basic npm badge:
[](https://snyk.io/test/npm/{package-name})
Specific version:
[](https://snyk.io/test/npm/{package-name}/{version})
For a scan that is configured to scan your code on PyPi:
Basic PyPi badge:
[](https://snyk.io/test/pip/{package-name})
For a scan that is configured to scan your code on Maven Central: Basic Maven badge:
[](https://snyk.io/test/maven/{groupId}/{artifactId})
For a scan that is configured to scan your code on PHP Composer:
Basic PHP badge:
[](https://snyk.io/test/composer/{vendor}/{package})
