Rapporteket · arnfinn · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -0,0 +1,45 @@
+name: Snyk Container
+
+on:
+  release:
+    types: [published]
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: R setup
+      uses: r-lib/actions/setup-r@v2.10.1
+    - name: Build package (tarball)
+      run: R CMD build .
+    - name: Build docker image
+      run: export GITHUB_PAT=${{ github.token }} && docker build -t snyktest --secret id=GITHUB_PAT .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: snyktest
+        args: --file=Dockerfile --severity-threshold=high
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: snyk.sarif
+    - name: Accept only vulnerability levels below high 
+      continue-on-error: false
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: snyktest
+        args: --file=Dockerfile --severity-threshold=high
diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 FROM rapporteket/base-r:4.2.2
 
 LABEL maintainer="Arnfinn Hykkerud Steindal <arnfinn.hykkerud.steindal@helse-nord.no>"