Skip to content
Vulnerability by snyk.io

Create snyk-vulnerability.yml #1

Sign in to view logs

Create snyk-vulnerability.yml

Create snyk-vulnerability.yml #1

Workflow file for this run

.github/workflows/snyk-vulnerability.yml at 6c9b193
name: Vulnerability by snyk.io
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 21 * * 1' # run every Monday at 21
permissions:
contents: read
jobs:
snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
env:
IMAGE_NAME: ${{ github.repository }}
steps:
- uses: actions/checkout@v4
- name: downcase repository name for image
run: |
echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
- name: R setup
uses: r-lib/actions/setup-r@v2
- name: Build R package (tarball)
run: R CMD build .
- name: Build a Docker image
run: docker build -t ${IMAGE_NAME} --build-arg GH_PAT=${{ secrets.GITHUB_TOKEN}} .
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/docker@3e2680e8df93a24b52d119b1305fb7cedc60ceae
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${IMAGE_NAME}
args: --file=Dockerfile --severity-threshold=high
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Accept only vulnerability levels below high (and critical)
continue-on-error: false
uses: snyk/actions/docker@3e2680e8df93a24b52d119b1305fb7cedc60ceae
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${IMAGE_NAME}
args: --file=Dockerfile --severity-threshold=high