Scan Docker images in Snyk Github action (close #772)

Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote registry only, and that is why here we additionally add a step to create local Docker images for the Snyk scan.
snowplow · Apr 13, 2023 · 6d4d7a2 · 6d4d7a2
1 parent 28e7feb
commit 6d4d7a2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 20 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -137,6 +137,10 @@ jobs:
           - suffix: ""
           - suffix: -experimental
             app: rabbitmq
+          - app: kinesis
+            run_snyk: ${{ !contains(github.ref, 'rc') }}
+          - app: pubsub
+            run_snyk: ${{ !contains(github.ref, 'rc') }}
     steps:
     - uses: actions/checkout@v2
       if: startsWith(github.ref, 'refs/tags/')
@@ -229,6 +233,18 @@ jobs:
         platforms: linux/amd64,linux/arm64/v8
         tags: ${{ steps.distroless-meta.outputs.tags }}
         push: true
+    - name: Build local distroless image, which is needed to run Snyk
+      if: matrix.run_snyk
+      run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
+    - name: Run Snyk to check for vulnerabilities
+      uses: snyk/actions/docker@master
+      if: matrix.run_snyk
+      with:
+        image: "${{ steps.packageName.outputs.package_name }}:${{ steps.ver.outputs.tag }}-distroless"
+        args: "--app-vulns --org=data-processing-new"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   publish_sce:
     needs: test

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml