Scan Docker images in Snyk Github action (close #299)

snowplow · Dec 1, 2023 · 362011d · 362011d
1 parent 493353a
commit 362011d
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 30 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -44,14 +44,6 @@ jobs:
         echo "VERSION file ${{steps.version.outputs.VERSION_FILE}} does not match tagged version ${{ github.ref }}"
         exit 1
 
-    - name: Snyk Setup
-      uses: snyk/actions/setup@master
-
-    - name: Run Snyk to check for vulnerabilities
-      run: snyk test --project-name=snowbridge --severity-threshold=high
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
     - name: Install ngrok
       run: |
           mkdir -p $GITHUB_WORKSPACE/bin
@@ -73,6 +65,39 @@ jobs:
     - name: Run e2e tests
       run: make e2e-test
 
+    - name: Snyk Setup
+      uses: snyk/actions/setup@master
+
+    - name: Run Snyk to check for vulnerabilities in main Docker image
+      run: snyk container test snowplow/snowbridge:${{ github.ref_name }} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to check for vulnerabilities in aws-only Docker image
+      run: snyk container test snowplow/snowbridge:${{ github.ref_name }}-aws-only --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to monitor for vulnerabilities in main Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
+      with:
+        image: "snowplow/snowbridge:${{ github.ref_name }}"
+        args: "--app-vulns --org=data-processing-new --project-name=snowbridge-main"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to monitor for vulnerabilities in aws-only Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
+      with:
+        image: "snowplow/snowbridge:${{ github.ref_name }}-aws-only"
+        args: "--app-vulns --org=data-processing-new --project-name=snowbridge-aws-only"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
     - name: Create Release
       uses: actions/create-release@v1
       env:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -30,6 +30,11 @@ jobs:
         check-latest: true
         cache: true
 
+    - name: Extract project version from file
+      id: version
+      run: |
+          echo ::set-output name=VERSION::"$(cat VERSION)"
+
     - name: Block Concurrent Executions of Integration Tests
       if: ${{ env.NGROK_TOKEN != '' }} 
       uses: softprops/turnstyle@v1
@@ -60,8 +65,13 @@ jobs:
     - name: Snyk Setup
       uses: snyk/actions/setup@master
 
-    - name: Run Snyk to check for vulnerabilities
-      run: snyk test --project-name=snowbridge --severity-threshold=high
+    - name: Run Snyk to check for vulnerabilities in main Docker image
+      run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to check for vulnerabilities in aws-only Docker
+      run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}}-aws-only --severity-threshold=high
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml