Merge pull request #393 from RADAR-base/feature/action-docker-image-scan

Add weekly Snyk Docker image scan to Github actions
RADAR-base · Feb 12, 2025 · 3a0d785 · 3a0d785
2 parents b4c9628 + 3f38dfd
commit 3a0d785
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 11 deletions.
diff --git a/.github/workflows/scheduled_snyk.yaml b/.github/workflows/scheduled_snyk.yaml
@@ -1,10 +1,8 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
@@ -14,9 +12,6 @@ jobs:
       run:
         working-directory: java-sdk
 
-    env:
-      REPORT_FILE: /tmp/test.json
-
     steps:
       - uses: actions/checkout@v3
       - uses: snyk/actions/setup@master
@@ -31,22 +26,21 @@ jobs:
       - name: Setup Gradle
         uses: gradle/gradle-build-action@v2
 
-      - name: Run Snyk
+      - name: Run Snyk to check for vulnerabilities
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run: >
           snyk test
           --all-sub-projects
           --configuration-matching='^runtimeClasspath$'
           --fail-on=upgradable
-          --json-file-output=${{ env.REPORT_FILE }}
           --org=radar-base
           --policy-path=$PWD/.snyk
 
       - name: Report new vulnerabilities
         uses: thehyve/report-vulnerability@master
-        if: success() || failure()
         with:
-          report-file: ${{ env.REPORT_FILE }}
+          report-file: snyk.json
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: success() || failure()
diff --git a/.github/workflows/scheduled_snyk_docker.yaml b/.github/workflows/scheduled_snyk_docker.yaml
@@ -0,0 +1,34 @@
+name: Snyk scheduled Docker image scan
+
+on:
+    schedule:
+        - cron: '0 3 * * 1'
+    workflow_dispatch:
+
+jobs:
+    security:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/checkout@v3
+            - uses: snyk/actions/setup@master
+              with:
+                  snyk-version: v1.1032.0
+
+            - name: Run Snyk to check for vulnerabilities
+              env:
+                  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+              run: >
+                  snyk container test
+                  --severity-threshold=high
+                  --fail-on=upgradable
+                  --file=Dockerfile
+                  radarbase/radar-schemas-tools
+                  
+            - name: Report new vulnerabilities
+              uses: thehyve/report-vulnerability@master
+              with:
+                  report-file: snyk.json
+              env:
+                  TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              if: ${{ failure() }}