Skip to content

Commit

Permalink
Add weekly Snyk Docker image scan to Github actions
Browse files Browse the repository at this point in the history 
Weekly check code base and docker base image for vulnerabilities. Vulnerabilities are reported to the Security tab in Github.
  • Loading branch information
@pvannierop
pvannierop committed Feb 14, 2025
1 parent 0f3a7fa commit a033ccf
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 23 deletions.
40 changes: 40 additions & 0 deletions .github/workflows/scheduled-snyk-docker.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Snyk scheduled Docker base image scan

on:
schedule:
- cron: '0 3 * * 1'
workflow_dispatch:

env:
DOCKER_IMAGE: radarbase/radar-redcapintegration

jobs:
security:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Run Snyk to check for vulnerabilities
continue-on-error: true # To make sure that SARIF upload gets called
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_IMAGE }}
# 'exclude-app-vulns' only tests vulnerabilities in the base image.
# Code base vulnerabilities are tested the scheduled-snyk.yaml action.
args: >-
--file=Dockerfile
--fail-on=upgradable
--severity-threshold=high
--policy-path=.snyk
--exclude-app-vulns
--org=radar-base
--sarif-file-output=snyk.sarif
# Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
35 changes: 19 additions & 16 deletions .github/workflows/scheduled-snyk.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,35 +1,38 @@
name: Snyk scheduled test
name: Snyk scheduled code base scan

on:
schedule:
- cron: '0 2 * * 1'
push:
branches:
- master
workflow_dispatch:

jobs:
security:
runs-on: ubuntu-latest
env:
REPORT_FILE: test.json

steps:
- uses: actions/checkout@v3

- name: Use Node.js 16
uses: actions/setup-node@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm

- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/gradle-jdk17@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
args: >-
--all-projects
--configuration-matching='^runtimeClasspath$'
--fail-on=upgradable
--severity-threshold=high
--policy-path=.snykS
--org=radar-base
--sarif-file-output=snyk.sarif
- name: Report new vulnerabilities
uses: thehyve/report-vulnerability@master
if: success() || failure()
# Detected vulnerabilities will appear on Github in Security->Codescanning_alerts tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
report-file: ${{ env.REPORT_FILE }}
env:
TOKEN: ${{ secrets.GITHUB_TOKEN }}
sarif_file: snyk.sarif
19 changes: 12 additions & 7 deletions .github/workflows/snyk.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,26 @@
name: Snyk test

on:
pull_request:
branches: [ master, dev ]
branches:
- main
- dev

jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Use Node.js 16
uses: actions/setup-node@v3
with:
node-version: 16

- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/gradle-jdk17@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high --policy-path=$PWD/.snyk
args: >-
--all-projects
--configuration-matching="^runtimeClasspath$"
--severity-threshold=high
--fail-on=upgradable
--org=radar-base
--policy-path=.snyk

0 comments on commit a033ccf

Please sign in to comment.