From a0099466db18308ed69d176614fbf0b77aca0bce Mon Sep 17 00:00:00 2001 From: spenes Date: Tue, 4 Apr 2023 15:18:18 +0300 Subject: [PATCH] Scan Docker images in Snyk Github action (close #131) Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote registry only, and that is why here we additionally add a step to create local Docker images for the Snyk scan. --- .github/workflows/ci.yml | 12 ++++++++++++ .github/workflows/snyk.yml | 20 -------------------- 2 files changed, 12 insertions(+), 20 deletions(-) delete mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e081a78..4666319 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,3 +137,15 @@ jobs: platforms: linux/amd64,linux/arm64/v8 tags: ${{ steps.meta-distroless.outputs.tags }} push: true + - name: Build local distroless image, which is needed to run Snyk + if: ${{ !contains(steps.ver.outputs.tag, 'rc') }} + run: sbt "project igluServerDistroless" docker:publishLocal + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/docker@master + if: ${{ !contains(steps.ver.outputs.tag, 'rc') }} + with: + image: "snowplow/iglu-server:${{ steps.ver.outputs.tag }}-distroless" + args: "--app-vulns --org=data-processing-new" + command: monitor + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index 48ec06c..0000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Snyk - -on: - push: - branches: [ master ] - -jobs: - security: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/scala@master - with: - command: monitor - args: --project-name=iglu-server - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}