name: Security Scans description: Security Scans inputs: image: description: "The image to scan" required: true registry_user: description: "The user used to pull the image" required: true registry_token: description: "The token used to pull the image" required: true snyk_token: description: "The snyk authentication token" required: false dockerfile: description: "The image's Dockerfile" required: false default: './Dockerfile' runs: using: composite steps: - name: Log in to the GitHub Container registry uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3 with: registry: ghcr.io username: ${{ inputs.registry_user }} password: ${{ inputs.registry_token }} - name: Dockle uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1 with: image: "${{ inputs.image }}" exit-code: '1' failure-threshold: WARN accept-keywords: key accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py - name: Snyk uses: snyk/actions/docker@master id: snyk if: ${{ inputs.snyk_token != '' }} # Snyk can be used to break the build when it detects vulnerabilities. # In this case we want to upload the issues to GitHub Code Scanning. continue-on-error: true env: SNYK_TOKEN: ${{ inputs.snyk_token }} with: image: "${{ inputs.image }}" args: --severity-threshold=high --file=${{ inputs.dockerfile }} - name: Replace sarif security-severity invalid values if: ${{ steps.snyk.conclusion == 'success' }} shell: bash run: | sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4 if: ${{ steps.snyk.conclusion == 'success' }} with: sarif_file: snyk.sarif