Skip to content

Commit

Permalink
Merge pull request #75 from RADAR-base/feature/snyk-docker-image-scan
Browse files Browse the repository at this point in the history 
Add weekly Snyk Docker image scan to Github actions
  • Loading branch information
@pvannierop
pvannierop authored Feb 14, 2025
2 parents 0f3a7fa + cfc8313 commit d50878e
Show file tree
Hide file tree
Showing 3 changed files with 73 additions and 24 deletions.
40 changes: 40 additions & 0 deletions .github/workflows/scheduled-snyk-docker.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Snyk scheduled Docker base image scan

on:
schedule:
- cron: '0 3 * * 1'
workflow_dispatch:

env:
DOCKER_IMAGE: radarbase/radar-redcapintegration

jobs:
security:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3

- name: Run Snyk to check for vulnerabilities
continue-on-error: true # To make sure that SARIF upload gets called
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_IMAGE }}
# 'exclude-app-vulns' only tests vulnerabilities in the base image.
# Code base vulnerabilities are tested the scheduled-snyk.yaml action.
args: >-
--file=Dockerfile
--fail-on=upgradable
--severity-threshold=high
--policy-path=.snyk
--exclude-app-vulns
--org=radar-base
--sarif-file-output=snyk.sarif
# Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
35 changes: 19 additions & 16 deletions .github/workflows/scheduled-snyk.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,35 +1,38 @@
name: Snyk scheduled test
name: Snyk scheduled code base scan

on:
schedule:
- cron: '0 2 * * 1'
push:
branches:
- master
workflow_dispatch:

jobs:
security:
runs-on: ubuntu-latest
env:
REPORT_FILE: test.json

steps:
- uses: actions/checkout@v3

- name: Use Node.js 16
uses: actions/setup-node@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm

- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/gradle-jdk17@master
continue-on-error: true # To make sure that SARIF upload gets called
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
args: >-
--all-projects
--configuration-matching='^runtimeClasspath$'
--fail-on=upgradable
--severity-threshold=high
--policy-path=.snykS
--org=radar-base
--sarif-file-output=snyk.sarif
- name: Report new vulnerabilities
uses: thehyve/report-vulnerability@master
if: success() || failure()
# Detected vulnerabilities will appear on Github in Security->Codescanning_alerts tab
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
report-file: ${{ env.REPORT_FILE }}
env:
TOKEN: ${{ secrets.GITHUB_TOKEN }}
sarif_file: snyk.sarif
22 changes: 14 additions & 8 deletions .github/workflows/snyk.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,27 @@
name: Snyk test
name: Snyk test on PR commits

on:
pull_request:
branches: [ master, dev ]
branches:
- main
- dev
- release-*

jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3

- name: Use Node.js 16
uses: actions/setup-node@v3
with:
node-version: 16

- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/gradle-jdk17@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high --policy-path=$PWD/.snyk
args: >-
--all-projects
--configuration-matching="^runtimeClasspath$"
--severity-threshold=high
--fail-on=upgradable
--org=radar-base
--policy-path=.snyk

0 comments on commit d50878e

Please sign in to comment.