chore: add Snyk container scanner (#60)

Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
2023-11-02 15:17:03 -03:00
parent 0bd1316546
commit cfddaadf01
1 changed files with 15 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -33,6 +33,7 @@ jobs:
    permissions:
      contents: read
      packages: write
+      security-events: write
    steps:
    - name: Checkout Code
      uses: actions/checkout@v4
@@ -86,6 +87,20 @@ jobs:
        accept-keywords: key
        accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key,usr/lib/python3.9/site-packages/azure/core/settings.py

+    - name: Run Snyk to check Docker image for vulnerabilities
+      uses: snyk/actions/docker@master
+      continue-on-error: true
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
+        args: --severity-threshold=high --file=${{ matrix.file }}
+
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: snyk.sarif
+
    - name: Build and push
      uses: docker/build-push-action@v5
      with: