From 362011d5a21ef6477612d6698d4fbf0ce7b54670 Mon Sep 17 00:00:00 2001 From: spenes Date: Thu, 30 Nov 2023 15:52:56 +0300 Subject: [PATCH] Scan Docker images in Snyk Github action (close #299) --- .github/workflows/cd.yml | 41 ++++++++++++++++++++++++++++++-------- .github/workflows/ci.yml | 14 +++++++++++-- .github/workflows/snyk.yml | 20 ------------------- 3 files changed, 45 insertions(+), 30 deletions(-) delete mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 1e70452f..2e986d70 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -44,14 +44,6 @@ jobs: echo "VERSION file ${{steps.version.outputs.VERSION_FILE}} does not match tagged version ${{ github.ref }}" exit 1 - - name: Snyk Setup - uses: snyk/actions/setup@master - - - name: Run Snyk to check for vulnerabilities - run: snyk test --project-name=snowbridge --severity-threshold=high - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Install ngrok run: | mkdir -p $GITHUB_WORKSPACE/bin @@ -73,6 +65,39 @@ jobs: - name: Run e2e tests run: make e2e-test + - name: Snyk Setup + uses: snyk/actions/setup@master + + - name: Run Snyk to check for vulnerabilities in main Docker image + run: snyk container test snowplow/snowbridge:${{ github.ref_name }} --severity-threshold=high + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Run Snyk to check for vulnerabilities in aws-only Docker image + run: snyk container test snowplow/snowbridge:${{ github.ref_name }}-aws-only --severity-threshold=high + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Run Snyk to monitor for vulnerabilities in main Docker image + uses: snyk/actions/docker@master + if: ${{ !contains(github.ref, 'rc') }} + with: + image: "snowplow/snowbridge:${{ github.ref_name }}" + args: "--app-vulns --org=data-processing-new --project-name=snowbridge-main" + command: monitor + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Run Snyk to monitor for vulnerabilities in aws-only Docker image + uses: snyk/actions/docker@master + if: ${{ !contains(github.ref, 'rc') }} + with: + image: "snowplow/snowbridge:${{ github.ref_name }}-aws-only" + args: "--app-vulns --org=data-processing-new --project-name=snowbridge-aws-only" + command: monitor + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Create Release uses: actions/create-release@v1 env: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ed38976..4c35c043 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,6 +30,11 @@ jobs: check-latest: true cache: true + - name: Extract project version from file + id: version + run: | + echo ::set-output name=VERSION::"$(cat VERSION)" + - name: Block Concurrent Executions of Integration Tests if: ${{ env.NGROK_TOKEN != '' }} uses: softprops/turnstyle@v1 @@ -60,8 +65,13 @@ jobs: - name: Snyk Setup uses: snyk/actions/setup@master - - name: Run Snyk to check for vulnerabilities - run: snyk test --project-name=snowbridge --severity-threshold=high + - name: Run Snyk to check for vulnerabilities in main Docker image + run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}} --severity-threshold=high + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Run Snyk to check for vulnerabilities in aws-only Docker + run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}}-aws-only --severity-threshold=high env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml deleted file mode 100644 index 2ef62290..00000000 --- a/.github/workflows/snyk.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: snyk - -on: - push: - branches: [ master ] - -jobs: - security: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/golang@master - with: - command: monitor - args: --prune-repeated-subdependencies --project-name=snowbridge - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}