Skip to content

Commit

Permalink
Scan Docker images in Snyk Github action (close #772)
Browse files Browse the repository at this point in the history
Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote
registry only, and that is why here we additionally add a step to create local Docker images for the
Snyk scan.
  • Loading branch information
spenes committed Apr 13, 2023
1 parent 7a7e006 commit d552d49
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 20 deletions.
16 changes: 16 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,10 @@ jobs:
- suffix: ""
- suffix: -experimental
app: rabbitmq
- app: kinesis
run_snyk: ${{ !contains(github.ref, 'rc') }}
- app: pubsub
run_snyk: ${{ !contains(github.ref, 'rc') }}
steps:
- uses: actions/checkout@v2
if: startsWith(github.ref, 'refs/tags/')
Expand Down Expand Up @@ -229,6 +233,18 @@ jobs:
platforms: linux/amd64,linux/arm64/v8
tags: ${{ steps.distroless-meta.outputs.tags }}
push: true
- name: Build local distroless image, which is needed to run Snyk
if: matrix.run_snyk
run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/docker@master
if: matrix.run_snyk
with:
image: "${{ steps.packageName.outputs.package_name }}:${{ steps.ver.outputs.tag }}-distroless"
args: "--app-vulns --org=data-processing-new"
command: monitor
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

publish_sce:
needs: test
Expand Down
20 changes: 0 additions & 20 deletions .github/workflows/snyk.yml

This file was deleted.

0 comments on commit d552d49

Please sign in to comment.