Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk take2 #96

Closed
wants to merge 18 commits into from
Closed

Snyk take2 #96

Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
5025c43
Snyk-scan: dytt image til github registry
arnfinn Oct 7, 2024
23347ac
buildx nødvendig?
arnfinn Oct 7, 2024
e20c3a4
dytt til riktig register
arnfinn Oct 7, 2024
dfde02e
dropp labels
arnfinn Oct 7, 2024
d75ea79
skrivetilgang
arnfinn Oct 7, 2024
b2f8e9d
prøv med github.token
arnfinn Oct 7, 2024
e013a4e
logout: false
arnfinn Oct 7, 2024
17fd842
Prøv med ny token
arnfinn Oct 7, 2024
b0f2d01
Prøver med to-stegs-bygg, slik som snyk-blog
arnfinn Oct 7, 2024
876e353
glemte matrix...#
arnfinn Oct 7, 2024
f434af7
bruk Buildx
arnfinn Oct 7, 2024
9657a86
bruk GHCR_TOKEN
arnfinn Oct 7, 2024
b932a7c
bruk secrets.GHCR_TOKEN på snyk også
arnfinn Oct 7, 2024
cf11970
dropp pålogging andre gang
arnfinn Oct 7, 2024
457da03
log in
arnfinn Oct 7, 2024
0b13687
random
arnfinn Oct 7, 2024
14db18b
Prøve med dockerhub i stedet...
arnfinn Oct 7, 2024
4df94c4
stram til kriteriet
arnfinn Oct 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 65 additions & 24 deletions .github/workflows/snyk.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,60 @@ on:
schedule:
- cron: '30 22 * * 5'

permissions:
contents: read

jobs:

build_image:
permissions:
id-token: write
contents: read
packages: write
runs-on: ubuntu-latest
env:
GITHUB_REGISTRY: ghcr.io
strategy:
fail-fast: false
matrix:
config:
- {name: base-r}
- {name: base-r-alpine}
steps:
- uses: actions/checkout@v4
- name: Log in to the Container registry 📦
uses: docker/[email protected]
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/[email protected]
- name: Prepare tags
id: docker_meta
uses: docker/[email protected]
with:
images: rapporteket/${{ matrix.config.name }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=schedule,pattern=weekly
type=semver,pattern={{version}}
- name: Build and push docker image
uses: docker/[email protected]
with:
context: ./${{ matrix.config.name }}/.
file: ./${{ matrix.config.name }}/Dockerfile
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max

snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
id-token: write
contents: read
packages: write
runs-on: ubuntu-latest
needs: [ build_image ]
env:
GITHUB_REGISTRY: ghcr.io
strategy:
fail-fast: false
matrix:
Expand All @@ -28,27 +72,24 @@ jobs:
name: ${{ matrix.config.name }}
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/[email protected]
- name: Build docker image
uses: docker/[email protected]
- name: Prepare tags
id: docker_meta
uses: docker/[email protected]
with:
context: ./${{ matrix.config.name }}/.
file: ./${{ matrix.config.name }}/Dockerfile
push: false
tags: rapporteket/${{ matrix.config.name }}
cache-from: type=gha
cache-to: type=gha,mode=max
images: rapporteket/${{ matrix.config.name }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=schedule,pattern=weekly
type=semver,pattern={{version}}
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: rapporteket/${{ matrix.config.name }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical
image: ${{ steps.docker_meta.outputs.tags }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
Expand All @@ -60,13 +101,13 @@ jobs:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: rapporteket/${{ matrix.config.name }}
image: ${{ steps.docker_meta.outputs.tags }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical --org=b034af62-43be-40c7-95e8-fdc56d6f3092
- name: Accept only vulnerability levels below critical
- name: Accept only vulnerability levels below high
continue-on-error: false
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: rapporteket/${{ matrix.config.name }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=critical
image: ${{ steps.docker_meta.outputs.tags }}
args: --file=${{ matrix.config.name }}/Dockerfile --severity-threshold=high
Loading