Scan Docker images with Snyk container monitor in ci.yml (close #1191)

Whenever we release RDB loader, we run a Snyk scan to check for security vulnerabilites. Previously, we had a separate Github action for this, `snyk.yml` which just ran `snyk monitor` and did not scan the docker images. We are moving over to using `snyk container monitor` because we want to - be able to keep track of vulnerabilities in the docker images we create on release without manually adding them in the Snyk UI - continue scanning our java/scala jar files Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote registry only, and that is why here we additionally add a step to create local Docker images for the Snyk scan.
snowplow · Feb 17, 2023 · 0998f5b · 0998f5b
1 parent b9035a5
commit 0998f5b
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 21 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -154,6 +154,18 @@ jobs:
           platforms: linux/amd64,linux/arm64/v8
           tags: ${{ steps.distroless-meta.outputs.tags }}
           push: true
+      - name: Build local distroless image, which is needed to run Snyk
+        if: ${{ !contains(github.ref_name, 'rc') }}
+        run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        if: ${{ !contains(github.ref_name, 'rc') }}
+        with:
+          image: "${{ steps.packageName.outputs.package_name }}:${{ github.ref_name }}-distroless"
+          args: "--app-vulns --org=data-processing-new"
+          command: monitor
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   create_release:
     needs: test

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
diff --git a/project/BuildSettings.scala b/project/BuildSettings.scala
@@ -183,7 +183,6 @@ object BuildSettings {
     dockerBaseImage := "gcr.io/distroless/java11-debian11:nonroot",
     Docker / daemonUser := "nonroot",
     Docker / daemonGroup := "nonroot",
-    dockerRepository := Some("snowplow"),
     Docker / daemonUserUid := None,
     Docker / defaultLinuxInstallLocation := "/home/snowplow",
     dockerEntrypoint := Seq("java", "-jar",s"/home/snowplow/lib/${(packageJavaLauncherJar / artifactPath).value.getName}"),