Nightly Snyk Security Scan #1149

Workflow file for this run

	name: Nightly Snyk Security Scan
	on:
	workflow_dispatch:
	schedule:
	- cron: '30 5 * * *' # 5:30am daily

	jobs:
	security_tests:
	name: Snyk Security Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: set-up-environment
	uses: DFE-Digital/github-actions/set-up-environment@master

	- uses: Azure/login@v2
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}

	- name: Fetch secrets from key vault
	uses: azure/CLI@v2
	id: keyvault-yaml-secret
	with:
	inlineScript: \|
	SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
	echo "::add-mask::$SLACK_WEBHOOK"
	echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
	SNYK_TOKEN=$(az keyvault secret show --name "SNYK-TOKEN" --vault-name "${{ secrets.KEY_VAULT_REVIEW }}" --query "value" -o tsv)
	echo "::add-mask::$SNYK_TOKEN"
	echo "SNYK_TOKEN=$SNYK_TOKEN" >> $GITHUB_OUTPUT

	- name: Run Snyk to check Docker image for vulnerabilities
	uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK_TOKEN }}
	with:
	image: ${{ env.DOCKER_REPOSITORY }}:master
	args: --severity-threshold=high --file=Dockerfile --exclude-app-vulns

	- name: Run Brakeman static security scanner
	run: \|-
	docker run -t --rm -e RAILS_ENV=test ${{ env.DOCKER_REPOSITORY }}:master brakeman --no-pager

	- name: Slack Notification
	if: failure()
	uses: rtCamp/action-slack-notify@master
	env:
	SLACK_COLOR: ${{env.SLACK_ERROR}}
	SLACK_TITLE: Failure with Nightly Anchore Security Scan
	SLACK_MESSAGE: Failure Nightly Anchore Security Scan for ${{env.APPLICATION}}
	SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK_WEBHOOK }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Nightly Snyk Security Scan #1149

Workflow file

Nightly Snyk Security Scan #1149

Jobs

Run details

Workflow file for this run