From a37ef82c3a8218a92c81e1eedfde328151bd3c4b Mon Sep 17 00:00:00 2001 From: Arnfinn Hykkerud Steindal Date: Tue, 8 Oct 2024 11:01:33 +0200 Subject: [PATCH] Snyk-testing av docker image (#19) --- .github/workflows/snyk.yml | 53 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 0000000..6908c7f --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,53 @@ +name: Snyk Container + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '30 22 * * 5' + +jobs: + snyk: + runs-on: ubuntu-latest + name: norgast-snyk + steps: + - uses: actions/checkout@v4 + - name: R setup + uses: r-lib/actions/setup-r@v2 + - name: Build package (tarball) + run: R CMD build . + - name: Build docker image + run: docker build -t norgast-snyk . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: norgast-snyk + args: --file=Dockerfile --severity-threshold=high + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif + - name: Monitor image in Snyk UI + continue-on-error: true + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor + image: norgast-snyk + args: --file=Dockerfile --severity-threshold=high --org=b034af62-43be-40c7-95e8-fdc56d6f3092 + - name: Accept only vulnerability levels below high + continue-on-error: false + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: norgast-snyk + args: --file=Dockerfile --severity-threshold=high