Snyk-testing av docker image (#19)

.github/workflows/snyk.yml

@@ -0,0 +1,53 @@
+name: Snyk Container
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '30 22 * * 5'
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    name: norgast-snyk
+    steps:
+    - uses: actions/checkout@v4
+    - name: R setup
+      uses: r-lib/actions/setup-r@v2
+    - name: Build package (tarball)
+      run: R CMD build .
+    - name: Build docker image
+      run: docker build -t norgast-snyk .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: norgast-snyk
+        args: --file=Dockerfile --severity-threshold=high
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: snyk.sarif
+    - name: Monitor image in Snyk UI
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        command: monitor
+        image: norgast-snyk
+        args: --file=Dockerfile --severity-threshold=high --org=b034af62-43be-40c7-95e8-fdc56d6f3092
+    - name: Accept only vulnerability levels below high 
+      continue-on-error: false
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: norgast-snyk
+        args: --file=Dockerfile --severity-threshold=high