Scan Docker images in Snyk Github action (close #299)

snowplow · Dec 4, 2023 · f0ea4d4 · f0ea4d4
1 parent 7cb5dbf
commit f0ea4d4
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 41 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -44,14 +44,6 @@ jobs:
         echo "VERSION file ${{steps.version.outputs.VERSION_FILE}} does not match tagged version ${{ github.ref }}"
         exit 1
 
-    - name: Snyk Setup
-      uses: snyk/actions/setup@master
-
-    - name: Run Snyk to check for vulnerabilities
-      run: snyk test --project-name=snowbridge --severity-threshold=high
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
     - name: Install ngrok
       run: |
           mkdir -p $GITHUB_WORKSPACE/bin
@@ -73,22 +65,55 @@ jobs:
     - name: Run e2e tests
       run: make e2e-test
 
-    - name: Create Release
-      uses: actions/create-release@v1
+    - name: Snyk Setup
+      uses: snyk/actions/setup@master
+
+    - name: Run Snyk to check for vulnerabilities in main Docker image
+      run: snyk container test snowplow/snowbridge:${{ github.ref_name }} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to check for vulnerabilities in aws-only Docker image
+      run: snyk container test snowplow/snowbridge:${{ github.ref_name }}-aws-only --severity-threshold=high
       env:
-        GITHUB_TOKEN: ${{ github.token }}
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to monitor for vulnerabilities in main Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
       with:
-        tag_name: ${{ github.ref }}
-        release_name: Release ${{ github.ref }}
-        draft: false
-        prerelease: ${{ contains(github.ref , '-') }}
+        image: "snowplow/snowbridge:${{ github.ref_name }}"
+        args: "--app-vulns --org=data-processing-new --project-name=snowbridge-main"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
-    - name: Upload release binaries
-      uses: alexellis/upload-assets@0.2.3
+    - name: Run Snyk to monitor for vulnerabilities in aws-only Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
+      with:
+        image: "snowplow/snowbridge:${{ github.ref_name }}-aws-only"
+        args: "--app-vulns --org=data-processing-new --project-name=snowbridge-aws-only"
+        command: monitor
       env:
-        GITHUB_TOKEN: ${{ github.token }}
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Create GitHub release and attach artifacts
+      uses: softprops/action-gh-release@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        asset_paths: '["./build/compiled/*"]'
+        draft: true
+        prerelease: ${{ contains(github.ref , '-') }}
+        name: Release ${{ github.ref_name }}
+        tag_name: ${{ github.ref_name }}
+        files: |
+          build/compiled/snowbridge_${{ github.ref_name }}_aws-only_darwin_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_aws-only_linux_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_aws-only_windows_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_darwin_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_linux_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_windows_amd64.zip
 
     - name: Publish to DockerHub
       run: make container-release

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -30,6 +30,11 @@ jobs:
         check-latest: true
         cache: true
 
+    - name: Extract project version from file
+      id: version
+      run: |
+          echo ::set-output name=VERSION::"$(cat VERSION)"
+
     - name: Block Concurrent Executions of Integration Tests
       if: ${{ env.NGROK_TOKEN != '' }} 
       uses: softprops/turnstyle@v1
@@ -60,8 +65,13 @@ jobs:
     - name: Snyk Setup
       uses: snyk/actions/setup@master
 
-    - name: Run Snyk to check for vulnerabilities
-      run: snyk test --project-name=snowbridge --severity-threshold=high
+    - name: Run Snyk to check for vulnerabilities in main Docker image
+      run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to check for vulnerabilities in aws-only Docker
+      run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}}-aws-only --severity-threshold=high
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 

diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml