From f0ea4d4991cc3f1d70f67f6daf9131d95229a6a8 Mon Sep 17 00:00:00 2001
From: spenes <enes@snowplowanalytics.com>
Date: Thu, 30 Nov 2023 15:52:56 +0300
Subject: [PATCH] Scan Docker images in Snyk Github action (close #299)

---
 .github/workflows/cd.yml   | 63 ++++++++++++++++++++++++++------------
 .github/workflows/ci.yml   | 14 +++++++--
 .github/workflows/snyk.yml | 20 ------------
 3 files changed, 56 insertions(+), 41 deletions(-)
 delete mode 100644 .github/workflows/snyk.yml

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 1e70452f..d79bc5ea 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -44,14 +44,6 @@ jobs:
         echo "VERSION file ${{steps.version.outputs.VERSION_FILE}} does not match tagged version ${{ github.ref }}"
         exit 1
 
-    - name: Snyk Setup
-      uses: snyk/actions/setup@master
-
-    - name: Run Snyk to check for vulnerabilities
-      run: snyk test --project-name=snowbridge --severity-threshold=high
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
     - name: Install ngrok
       run: |
           mkdir -p $GITHUB_WORKSPACE/bin
@@ -73,22 +65,55 @@ jobs:
     - name: Run e2e tests
       run: make e2e-test
 
-    - name: Create Release
-      uses: actions/create-release@v1
+    - name: Snyk Setup
+      uses: snyk/actions/setup@master
+
+    - name: Run Snyk to check for vulnerabilities in main Docker image
+      run: snyk container test snowplow/snowbridge:${{ github.ref_name }} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to check for vulnerabilities in aws-only Docker image
+      run: snyk container test snowplow/snowbridge:${{ github.ref_name }}-aws-only --severity-threshold=high
       env:
-        GITHUB_TOKEN: ${{ github.token }}
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to monitor for vulnerabilities in main Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
       with:
-        tag_name: ${{ github.ref }}
-        release_name: Release ${{ github.ref }}
-        draft: false
-        prerelease: ${{ contains(github.ref , '-') }}
+        image: "snowplow/snowbridge:${{ github.ref_name }}"
+        args: "--app-vulns --org=data-processing-new --project-name=snowbridge-main"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
-    - name: Upload release binaries
-      uses: alexellis/upload-assets@0.2.3
+    - name: Run Snyk to monitor for vulnerabilities in aws-only Docker image
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(github.ref, 'rc') }}
+      with:
+        image: "snowplow/snowbridge:${{ github.ref_name }}-aws-only"
+        args: "--app-vulns --org=data-processing-new --project-name=snowbridge-aws-only"
+        command: monitor
       env:
-        GITHUB_TOKEN: ${{ github.token }}
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Create GitHub release and attach artifacts
+      uses: softprops/action-gh-release@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        asset_paths: '["./build/compiled/*"]'
+        draft: true
+        prerelease: ${{ contains(github.ref , '-') }}
+        name: Release ${{ github.ref_name }}
+        tag_name: ${{ github.ref_name }}
+        files: |
+          build/compiled/snowbridge_${{ github.ref_name }}_aws-only_darwin_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_aws-only_linux_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_aws-only_windows_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_darwin_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_linux_amd64.zip
+          build/compiled/snowbridge_${{ github.ref_name }}_windows_amd64.zip
 
     - name: Publish to DockerHub
       run: make container-release
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9ed38976..4c35c043 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,6 +30,11 @@ jobs:
         check-latest: true
         cache: true
 
+    - name: Extract project version from file
+      id: version
+      run: |
+          echo ::set-output name=VERSION::"$(cat VERSION)"
+
     - name: Block Concurrent Executions of Integration Tests
       if: ${{ env.NGROK_TOKEN != '' }} 
       uses: softprops/turnstyle@v1
@@ -60,8 +65,13 @@ jobs:
     - name: Snyk Setup
       uses: snyk/actions/setup@master
 
-    - name: Run Snyk to check for vulnerabilities
-      run: snyk test --project-name=snowbridge --severity-threshold=high
+    - name: Run Snyk to check for vulnerabilities in main Docker image
+      run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}} --severity-threshold=high
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+    - name: Run Snyk to check for vulnerabilities in aws-only Docker
+      run: snyk container test snowplow/snowbridge:${{steps.version.outputs.VERSION}}-aws-only --severity-threshold=high
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
deleted file mode 100644
index 2ef62290..00000000
--- a/.github/workflows/snyk.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: snyk
-
-on:
-  push:
-    branches: [ master ]
-
-jobs:
-  security:
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v3
-      
-    - name: Run Snyk to check for vulnerabilities
-      uses: snyk/actions/golang@master
-      with:
-        command: monitor
-        args: --prune-repeated-subdependencies --project-name=snowbridge
-      env:
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}