From d552d493565d753564be536afacbd2ec0d646dc6 Mon Sep 17 00:00:00 2001 From: spenes Date: Wed, 12 Apr 2023 18:00:53 +0300 Subject: [PATCH] Scan Docker images in Snyk Github action (close #772) Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote registry only, and that is why here we additionally add a step to create local Docker images for the Snyk scan. --- .github/workflows/ci.yml | 16 ++++++++++++++++ .github/workflows/snyk.yml | 20 -------------------- 2 files changed, 16 insertions(+), 20 deletions(-) delete mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 77b1486aa..8cc48669a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,6 +137,10 @@ jobs: - suffix: "" - suffix: -experimental app: rabbitmq + - app: kinesis + run_snyk: ${{ !contains(github.ref, 'rc') }} + - app: pubsub + run_snyk: ${{ !contains(github.ref, 'rc') }} steps: - uses: actions/checkout@v2 if: startsWith(github.ref, 'refs/tags/') @@ -229,6 +233,18 @@ jobs: platforms: linux/amd64,linux/arm64/v8 tags: ${{ steps.distroless-meta.outputs.tags }} push: true + - name: Build local distroless image, which is needed to run Snyk + if: matrix.run_snyk + run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/docker@master + if: matrix.run_snyk + with: + image: "${{ steps.packageName.outputs.package_name }}:${{ steps.ver.outputs.tag }}-distroless" + args: "--app-vulns --org=data-processing-new" + command: monitor + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} publish_sce: needs: test diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index 04cdddcac..000000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Snyk - -on: - push: - branches: [ master ] - -jobs: - security: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/scala@master - with: - command: monitor - args: --project-name=enrich - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}