Uses snyk instead of docker_scan-lint

Move to .github/draft
mjanez · Sep 14, 2023 · ea1abe5 · ea1abe5
1 parent 74835ef
commit ea1abe5
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 12 deletions.
diff --git a/.github/draft/docker_scan-lint.yaml b/.github/draft/docker_scan-lint.yaml
@@ -0,0 +1,33 @@
+name: Scan & lint ckan-pycsw images
+
+on:
+    # Trigger the workflow after docker.yml
+    workflow_run:
+      workflows: ['Build ckan-pycsw images']
+      branches: ['main', 'latest']
+      pull_request:
+        branches: ['main']
+      types: 
+        - completed
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  CONTEXT: .
+  DOCKERFILE_PATH: /ckan-pycsw
+  DOCKERFILE: Dockerfile
+
+jobs:
+  image_scan:
+    runs-on: ubuntu-latest
+    steps:
+    -   name: Scan & lint image
+        uses: ISID/[email protected]
+        with:
+          tag: ${{ env.IMAGE_NAME }}
+          path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
+          dockerfile: ${{ env.DOCKERFILE }}
+          hadolint-severity: error
+          dockle-severity: FATAL
+          trivy-severity: HIGH,CRITICAL
+
diff --git a/.github/workflows/docker-dev.yaml b/.github/workflows/docker-dev.yaml
@@ -55,10 +55,34 @@ jobs:
           context: ${{ env.CONTEXT }}
           file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
 
-      - 
-        name: Scan image
-        uses: ISID/[email protected]
+  scan_docker_image:
+    permissions:
+      id-token: read
+      contents: read
+      packages: read
+    runs-on: ubuntu-latest
+    needs: [ docker ]
+    steps:
+      - name: Checkout 
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Scan Docker image
+        uses: snyk/actions/docker@master
+        continue-on-error: true
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          args: --file=Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Snyk report as sarif
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          tag: ${{ env.IMAGE_NAME }}
-          path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
-          dockerfile: ${{ env.DOCKERFILE }}
+          sarif_file: snyk.sarif
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -55,10 +55,34 @@ jobs:
           context: ${{ env.CONTEXT }}
           file: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}/${{ env.DOCKERFILE }}
 
-      - 
-        name: Scan image
-        uses: ISID/[email protected]
+  scan_docker_image:
+    permissions:
+      id-token: read
+      contents: read
+      packages: read
+    runs-on: ubuntu-latest
+    needs: [ docker ]
+    steps:
+      - name: Checkout 
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Scan Docker image
+        uses: snyk/actions/docker@master
+        continue-on-error: true
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          args: --file=Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Snyk report as sarif
+        uses: github/codeql-action/upload-sarif@v2
         with:
-          tag: ${{ env.IMAGE_NAME }}
-          path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
-          dockerfile: ${{ env.DOCKERFILE }}
+          sarif_file: snyk.sarif