Scan Docker images in Snyk Github action (close #90)

snowplow · Dec 4, 2023 · 644ea20 · 644ea20
1 parent b8da747
commit 644ea20
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 32 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -30,22 +30,32 @@ jobs:
       id: get_version
       run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
 
-    - name: Create Release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ github.token }}
+    - name: Publish docker image locally for Snyk action
+      run: make docker-build
+
+    - name: Run Snyk to monitor vulnerabilities in Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
       with:
-        tag_name: ${{ steps.get_version.outputs.VERSION }}
-        release_name: Version ${{ steps.get_version.outputs.VERSION }}
-        draft: false
-        prerelease: false
+        image: "snowplow/dataflow-runner:${{ github.ref_name }}"
+        args: "--app-vulns --org=data-processing-new"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
-    - name: Upload release binaries
-      uses: alexellis/upload-assets@0.2.3
+    - name: Create GitHub release and attach artifacts
+      uses: softprops/action-gh-release@v1
       env:
-        GITHUB_TOKEN: ${{ github.token }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        asset_paths: '["./build/bin/*.zip"]'
+        draft: true
+        prerelease: ${{ contains(github.ref , '-') }}
+        name: Version ${{ github.ref_name }}
+        tag_name: ${{ github.ref_name }}
+        files: |
+          build/bin/dataflow_runner_${{ github.ref_name }}_darwin_amd64.zip
+          build/bin/dataflow_runner_${{ github.ref_name }}_linux_amd64.zip
+          build/bin/dataflow_runner_${{ github.ref_name }}_windows_amd64.zip
 
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,7 +33,23 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@v2
 
+    - name: Extract project version from file
+      id: version
+      run: |
+          echo ::set-output name=VERSION::"$(cat VERSION)"
+
     - name: Run tests
       run: |
         export PATH="$PATH:/tmp/consul/"
         make test
+
+    - name: Publish docker image locally for Snyk action
+      run: make docker-build
+
+    - name: Snyk Setup
+      uses: snyk/actions/setup@master
+
+    - name: Run Snyk to check for vulnerabilities in Docker image
+      run: snyk container test snowplow/dataflow-runner:${{steps.version.outputs.VERSION}} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml