Skip to content

Snyk take2

Snyk take2 #222

Workflow file for this run

name: Snyk Container
on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '30 22 * * 5'
jobs:
build_image:
permissions:
id-token: write
contents: read
packages: write
runs-on: ubuntu-latest
env:
GITHUB_REGISTRY: ghcr.io
strategy:
fail-fast: false
matrix:
config:
- {name: base-r}
- {name: base-r-alpine}
steps:
- uses: actions/checkout@v4
- name: Log in to the Container registry 📦
uses: docker/login-action@v3.3.0
with:
registry: ${{ env.GITHUB_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.6.1
- name: Prepare tags
id: docker_meta
uses: docker/metadata-action@v5.5.1
with:
images: rapporteket/${{ matrix.config.name }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=schedule,pattern=weekly
type=semver,pattern={{version}}
- name: Build and push docker image
uses: docker/build-push-action@v6.9.0
with:
context: ./${{ matrix.config.name }}/.
file: ./${{ matrix.config.name }}/Dockerfile
push: true
tags: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
snyk:
permissions:
id-token: write
contents: read
packages: write
runs-on: ubuntu-latest
needs: [ build_image ]
env:
GITHUB_REGISTRY: ghcr.io
strategy:
fail-fast: false
matrix:
config:
- {name: base-r}
- {name: base-r-alpine}
name: ${{ matrix.config.name }}
steps:
- uses: actions/checkout@v4
- name: Log in to the Container registry 📦
uses: docker/login-action@v3.3.0
with:
registry: ${{ env.GITHUB_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Prepare tags
id: docker_meta
uses: docker/metadata-action@v5.5.1
with:
images: rapporteket/${{ matrix.config.name }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=schedule,pattern=weekly
type=semver,pattern={{version}}
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Monitor image in Snyk UI
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --org=b034af62-43be-40c7-95e8-fdc56d6f3092
- name: Accept only vulnerability levels below critical
continue-on-error: false
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.GITHUB_REGISTRY }}/${{ steps.docker_meta.outputs.tags }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical