From 6d4d7a2a20c28515cf357b4555c4f12af5287393 Mon Sep 17 00:00:00 2001
From: spenes <enes@snowplowanalytics.com>
Date: Wed, 12 Apr 2023 18:00:53 +0300
Subject: [PATCH] Scan Docker images in Snyk Github action (close #772)

Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote
registry only, and that is why here we additionally add a step to create local Docker images for the
Snyk scan.
---
 .github/workflows/ci.yml   | 16 ++++++++++++++++
 .github/workflows/snyk.yml | 20 --------------------
 2 files changed, 16 insertions(+), 20 deletions(-)
 delete mode 100644 .github/workflows/snyk.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 77b1486aa..8cc48669a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -137,6 +137,10 @@ jobs:
           - suffix: ""
           - suffix: -experimental
             app: rabbitmq
+          - app: kinesis
+            run_snyk: ${{ !contains(github.ref, 'rc') }}
+          - app: pubsub
+            run_snyk: ${{ !contains(github.ref, 'rc') }}
     steps:
     - uses: actions/checkout@v2
       if: startsWith(github.ref, 'refs/tags/')
@@ -229,6 +233,18 @@ jobs:
         platforms: linux/amd64,linux/arm64/v8
         tags: ${{ steps.distroless-meta.outputs.tags }}
         push: true
+    - name: Build local distroless image, which is needed to run Snyk
+      if: matrix.run_snyk
+      run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
+    - name: Run Snyk to check for vulnerabilities
+      uses: snyk/actions/docker@master
+      if: matrix.run_snyk
+      with:
+        image: "${{ steps.packageName.outputs.package_name }}:${{ steps.ver.outputs.tag }}-distroless"
+        args: "--app-vulns --org=data-processing-new"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   publish_sce:
     needs: test
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
deleted file mode 100644
index 04cdddcac..000000000
--- a/.github/workflows/snyk.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Snyk
-
-on:
-  push:
-    branches: [ master ]
-
-jobs:
-  security:
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-
-    - name: Run Snyk to check for vulnerabilities
-      uses: snyk/actions/scala@master
-      with:
-        command: monitor
-        args: --project-name=enrich
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}