From 3f38dfdb578866bac7e622a6556ea9aabaf863f7 Mon Sep 17 00:00:00 2001
From: pvannierop <pim@thehyve.nl>
Date: Wed, 12 Feb 2025 11:58:39 +0100
Subject: [PATCH] Update Github actions to include weekly Snyk Docker image
 scan

---
 .github/workflows/scheduled_snyk.yaml        | 16 +++------
 .github/workflows/scheduled_snyk_docker.yaml | 34 ++++++++++++++++++++
 2 files changed, 39 insertions(+), 11 deletions(-)
 create mode 100644 .github/workflows/scheduled_snyk_docker.yaml

diff --git a/.github/workflows/scheduled_snyk.yaml b/.github/workflows/scheduled_snyk.yaml
index bff414df..30322a11 100644
--- a/.github/workflows/scheduled_snyk.yaml
+++ b/.github/workflows/scheduled_snyk.yaml
@@ -1,10 +1,8 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
@@ -14,9 +12,6 @@ jobs:
       run:
         working-directory: java-sdk
 
-    env:
-      REPORT_FILE: /tmp/test.json
-
     steps:
       - uses: actions/checkout@v3
       - uses: snyk/actions/setup@master
@@ -31,7 +26,7 @@ jobs:
       - name: Setup Gradle
         uses: gradle/gradle-build-action@v2
 
-      - name: Run Snyk
+      - name: Run Snyk to check for vulnerabilities
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run: >
@@ -39,14 +34,13 @@ jobs:
           --all-sub-projects
           --configuration-matching='^runtimeClasspath$'
           --fail-on=upgradable
-          --json-file-output=${{ env.REPORT_FILE }}
           --org=radar-base
           --policy-path=$PWD/.snyk
 
       - name: Report new vulnerabilities
         uses: thehyve/report-vulnerability@master
-        if: success() || failure()
         with:
-          report-file: ${{ env.REPORT_FILE }}
+          report-file: snyk.json
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        if: success() || failure()
diff --git a/.github/workflows/scheduled_snyk_docker.yaml b/.github/workflows/scheduled_snyk_docker.yaml
new file mode 100644
index 00000000..9c00abc6
--- /dev/null
+++ b/.github/workflows/scheduled_snyk_docker.yaml
@@ -0,0 +1,34 @@
+name: Snyk scheduled Docker image scan
+
+on:
+    schedule:
+        - cron: '0 3 * * 1'
+    workflow_dispatch:
+
+jobs:
+    security:
+        runs-on: ubuntu-latest
+        
+        steps:
+            - uses: actions/checkout@v3
+            - uses: snyk/actions/setup@master
+              with:
+                  snyk-version: v1.1032.0
+
+            - name: Run Snyk to check for vulnerabilities
+              env:
+                  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+              run: >
+                  snyk container test
+                  --severity-threshold=high
+                  --fail-on=upgradable
+                  --file=Dockerfile
+                  radarbase/radar-schemas-tools
+                  
+            - name: Report new vulnerabilities
+              uses: thehyve/report-vulnerability@master
+              with:
+                  report-file: snyk.json
+              env:
+                  TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              if: ${{ failure() }}