From cfc8313ac9cb154090230be64ba6c2dbd3c90d7d Mon Sep 17 00:00:00 2001
From: pvannierop <pim@thehyve.nl>
Date: Fri, 14 Feb 2025 09:21:23 +0100
Subject: [PATCH] Add weekly Snyk Docker image scan to Github actions

Weekly check code base and docker base image for vulnerabilities. Vulnerabilities are reported to the Security tab in Github.
---
 .github/workflows/scheduled-snyk-docker.yaml | 40 ++++++++++++++++++++
 .github/workflows/scheduled-snyk.yaml        | 35 +++++++++--------
 .github/workflows/snyk.yaml                  | 22 +++++++----
 3 files changed, 73 insertions(+), 24 deletions(-)
 create mode 100644 .github/workflows/scheduled-snyk-docker.yaml

diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml
new file mode 100644
index 0000000..70450ed
--- /dev/null
+++ b/.github/workflows/scheduled-snyk-docker.yaml
@@ -0,0 +1,40 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+  DOCKER_IMAGE: radarbase/radar-redcapintegration
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        continue-on-error: true # To make sure that SARIF upload gets called
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE }}
+          # 'exclude-app-vulns' only tests vulnerabilities in the base image.
+          # Code base vulnerabilities are tested the scheduled-snyk.yaml action.
+          args: >-
+            --file=Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
index e7635f7..dc655bc 100644
--- a/.github/workflows/scheduled-snyk.yaml
+++ b/.github/workflows/scheduled-snyk.yaml
@@ -1,35 +1,38 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
+
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
     runs-on: ubuntu-latest
-    env:
-      REPORT_FILE: test.json
+
     steps:
       - uses: actions/checkout@v3
-
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+      - uses: actions/setup-node@v3
         with:
           node-version: 16
+          cache: npm
 
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snykS
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
 
-      - name: Report new vulnerabilities
-        uses: thehyve/report-vulnerability@master
-        if: success() || failure()
+      # Detected vulnerabilities will appear on Github in Security->Codescanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          report-file: ${{ env.REPORT_FILE }}
-        env:
-          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
index c1987f1..4aa6939 100644
--- a/.github/workflows/snyk.yaml
+++ b/.github/workflows/snyk.yaml
@@ -1,21 +1,27 @@
-name: Snyk test
+name: Snyk test on PR commits
+
 on:
   pull_request:
-    branches: [ master, dev ]
+    branches:
+      - main
+      - dev
+      - release-*
+
 jobs:
   security:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
 
-      - name: Use Node.js 16
-        uses: actions/setup-node@v3
-        with:
-          node-version: 16
-
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/gradle-jdk17@master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high --policy-path=$PWD/.snyk
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk