Scan Docker images in Snyk Github action (close #90)

snowplow · Dec 1, 2023 · 186d646 · 186d646
1 parent b8da747
commit 186d646
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 20 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -30,6 +30,19 @@ jobs:
       id: get_version
       run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
 
+    - name: Publish docker image locally for Snyk action
+      run: make docker-build
+
+    - name: Run Snyk to monitor vulnerabilities in Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
+      with:
+        image: "snowplow/dataflow-runner:${{ github.ref_name }}"
+        args: "--app-vulns --org=data-processing-new"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
     - name: Create Release
       uses: actions/create-release@v1
       env:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,7 +33,23 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v2
 
+    - name: Extract project version from file
+      id: version
+      run: |
+          echo ::set-output name=VERSION::"$(cat VERSION)"
+
     - name: Run tests
       run: |
         export PATH="$PATH:/tmp/consul/"
         make test
+
+    - name: Publish docker image locally for Snyk action
+      run: make docker-build
+
+    - name: Snyk Setup
+      uses: snyk/actions/setup@master
+
+    - name: Run Snyk to check for vulnerabilities in Docker image
+      run: snyk container test snowplow/dataflow-runner:${{steps.version.outputs.VERSION}} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml