ci: add a composite action for security scanners

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
2025-10-10 17:47:56 +02:00
parent 15b9d07bdf
commit 6883910f08
3 changed files with 141 additions and 38 deletions
--- a/.github/actions/security-scans/action.yml
+++ b/.github/actions/security-scans/action.yml
@@ -0,0 +1,64 @@
+name: Security Scans
+description: Security Scans
+inputs:
+  image:
+    description: "The image to scan"
+    required: true
+  registry_user:
+    description: "The user used to pull the image"
+    required: true
+  registry_token:
+    description: "The token used to pull the image"
+    required: true
+  snyk_token:
+    description: "The snyk authentication token"
+    required: false
+  dockerfile:
+    description: "The image's Dockerfile"
+    required: false
+    default: './Dockerfile'
+
+runs:
+  using: composite
+  steps:
+    - name: Log in to the GitHub Container registry
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.registry_user }}
+        password: ${{ inputs.registry_token }}
+
+    - name: Dockle
+      uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
+      with:
+        image: "${{ inputs.image }}"
+        exit-code: '1'
+        failure-threshold: WARN
+        accept-keywords: key
+        accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
+
+    - name: Snyk
+      uses: snyk/actions/docker@master
+      id: snyk
+      if: ${{ inputs.snyk_token != '' }}
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning.
+      continue-on-error: true
+      env:
+        SNYK_TOKEN: ${{ inputs.snyk_token }}
+      with:
+        image: "${{ inputs.image }}"
+        args: --severity-threshold=high --file=${{ inputs.dockerfile }}
+
+    - name: Replace sarif security-severity invalid values
+      if: ${{ steps.snyk.conclusion == 'success' }}
+      shell: bash
+      run: |
+        sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+        sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
+      if: ${{ steps.snyk.conclusion == 'success' }}
+      with:
+        sarif_file: snyk.sarif