Split off snyk-attestations into their own workflow step (#175)

cyber-dojo · May 13, 2024 · df9c6f1 · df9c6f1
1 parent e4da1c1
commit df9c6f1
Showing 1 changed file with 25 additions and 18 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -202,29 +202,32 @@ jobs:
       - name: Setup Snyk
         uses: snyk/actions/setup@master
 
-      - name: Run Snyk container scan and report results to Kosli Trail
+      - name: Run Snyk container scan
         env:
           IMAGE_NAME:        ${{ needs.kosli-trail.outputs.image_name }}
+          SARIF_FILENAME:    snyk.container.scan.json
+          SNYK_TOKEN:        ${{ secrets.SNYK_TOKEN }}
+        run:
+          snyk container test ${IMAGE_NAME} 
+            --file=Dockerfile 
+            --sarif 
+            --sarif-file-output="${SARIF_FILENAME}" 
+            --policy-path=.snyk
+
+      - name: Report Snyk container scan results to Kosli Trail
+        if: ${{ success() || failure() }}
+        env:
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
           KOSLI_ATTACHMENTS: /tmp/kosli_attachments
           SARIF_FILENAME:    snyk.container.scan.json
-          SNYK_TOKEN:        ${{ secrets.SNYK_TOKEN }}
         run: |
-          set +e          
-          snyk container test ${IMAGE_NAME} \
-            --file=Dockerfile \
-            --sarif \
-            --sarif-file-output="${SARIF_FILENAME}" \
-            --policy-path=.snyk
-          set -e
-          
           mkdir "${KOSLI_ATTACHMENTS}"
           cp .snyk "${KOSLI_ATTACHMENTS}"
 
-          kosli attest snyk "${IMAGE_NAME}" \
+          kosli attest snyk \
             --name=differ.snyk-container-scan \
             --scan-results="${SARIF_FILENAME}"
-
+          
 
   snyk-code-scan:
     needs: [build-image, kosli-trail]
@@ -240,26 +243,30 @@ jobs:
       - name: Setup Snyk
         uses: snyk/actions/setup@master
 
-      - name: Run Snyk code scan and report results to Kosli Trail
+      - name: Run Snyk code scan
         env:
           IMAGE_NAME:        ${{ needs.kosli-trail.outputs.image_name }}
           KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
           KOSLI_ATTACHMENTS: /tmp/kosli_attachments
           SARIF_FILENAME:    snyk.code.scan.json
           SNYK_TOKEN:        ${{ secrets.SNYK_TOKEN }}
-        run: |
-          set +e          
+        run:
           snyk code test \
             --sarif \
             --sarif-file-output="${SARIF_FILENAME}" \
             --policy-path=.snyk \
             .
-          set -e
 
+      - name: Report Snyk code scan results to Kosli Trail
+        if: ${{ success() || failure() }}
+        env:
+          KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.kosli_fingerprint }}
+          KOSLI_ATTACHMENTS: /tmp/kosli_attachments
+          SARIF_FILENAME:    snyk.code.scan.json
+        run: |
           mkdir "${KOSLI_ATTACHMENTS}"
           cp .snyk "${KOSLI_ATTACHMENTS}"
-
-          kosli attest snyk "${IMAGE_NAME}" \
+          kosli attest snyk \
             --name=differ.snyk-code-scan \
             --scan-results="${SARIF_FILENAME}"