marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity
Files
6883910f08bd420e20d6c85255ab885702618410
cnpg-postgres-containers/.github/actions/security-scans/action.yml
Niccolò Fei 6883910f08 ci: add a composite action for security scanners 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
2025-10-13 16:35:41 +02:00

65 lines
2.3 KiB
YAML
Raw Blame History

name: Security Scans
description: Security Scans
inputs:
image:
description: "The image to scan"
required: true
registry_user:
description: "The user used to pull the image"
required: true
registry_token:
description: "The token used to pull the image"
required: true
snyk_token:
description: "The snyk authentication token"
required: false
dockerfile:
description: "The image's Dockerfile"
required: false
default: './Dockerfile'
runs:
using: composite
steps:
- name: Log in to the GitHub Container registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ inputs.registry_user }}
password: ${{ inputs.registry_token }}
- name: Dockle
uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
with:
image: "${{ inputs.image }}"
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
- name: Snyk
uses: snyk/actions/docker@master
id: snyk
if: ${{ inputs.snyk_token != '' }}
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning.
continue-on-error: true
env:
SNYK_TOKEN: ${{ inputs.snyk_token }}
with:
image: "${{ inputs.image }}"
args: --severity-threshold=high --file=${{ inputs.dockerfile }}
- name: Replace sarif security-severity invalid values
if: ${{ steps.snyk.conclusion == 'success' }}
shell: bash
run: |
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
if: ${{ steps.snyk.conclusion == 'success' }}
with:
sarif_file: snyk.sarif
View Git Blame Copy Permalink