ci: add a composite action for security scanners

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
2025-10-10 17:47:56 +02:00
parent 15b9d07bdf
commit 6883910f08
3 changed files with 141 additions and 38 deletions
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -143,46 +143,14 @@ jobs:
      - name: Checkout Code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

-      - name: Log in to the GitHub Container registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Dockle
-        uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
-        with:
-          image: ${{ matrix.image }}
-          exit-code: '1'
-          failure-threshold: WARN
-          accept-keywords: key
-          accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
-
-      - name: Snyk
-        uses: snyk/actions/docker@master
-        id: snyk
-        if: ${{ env.SNYK_TOKEN != '' }}
-        # Snyk can be used to break the build when it detects vulnerabilities.
-        # In this case we want to upload the issues to GitHub Code Scanning.
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: Security checks
+        uses: ./.github/actions/security-scans
        with:
          image: "${{ matrix.image }}"
-          args: --severity-threshold=high --file=Dockerfile
-
-      - name: Replace sarif security-severity invalid values
-        if: ${{ steps.snyk.conclusion == 'success' }}
-        run: |
-          sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
-          sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
-
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
-        if: ${{ steps.snyk.conclusion == 'success' }}
-        with:
-          sarif_file: snyk.sarif
+          registry_user: ${{ github.actor }}
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          snyk_token: ${{ secrets.SNYK_TOKEN }}
+          dockerfile: "./Dockerfile"

  # Use the metadata generated in the `testbuild` step to find all the images
  # that have been built. We copy them one by one to the production registry