Snyk-scanning av image (#54)

Måtte tvinge docker til å bruke siste versjon av docker syntax, og bytte til nyeste versjon av base image
Rapporteket · Oct 9, 2024 · fac1ea9 · fac1ea9
1 parent 9c27f0a
commit fac1ea9
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -0,0 +1,47 @@
+name: Snyk Container
+
+on:
+  release:
+    types: [published]
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_PAT: ${{ github.token }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: R setup
+      uses: r-lib/actions/setup-r@v2.10.1
+    - name: Build package (tarball)
+      run: R CMD build .
+    - name: Build docker image
+      run: docker build -t snyktest --secret id=GITHUB_PAT .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: snyktest
+        args: --file=Dockerfile --severity-threshold=high
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: snyk.sarif
+    - name: Accept only vulnerability levels below high 
+      continue-on-error: false
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: snyktest
+        args: --file=Dockerfile --severity-threshold=high
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
-FROM rapporteket/base-r:4.2.2
+# syntax=docker/dockerfile:1
+FROM rapporteket/base-r:main
 
 LABEL maintainer="Arnfinn Hykkerud Steindal <arnfinn.hykkerud.steindal@helse-nord.no>"