Merge pull request #17 from Steavy/development

fix snyk docker image scanning next trial
Steavy · Jan 30, 2024 · 3257beb · 3257beb
2 parents 0d37368 + 540e607
commit 3257beb
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 23 deletions.
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -4,7 +4,7 @@ on:
   push:
     branches: [ development, steven ]
   pull_request:
-    branches: [ development, steven, workshop, main ]
+    branches: [ main ]
     types: [opened, synchronize, reopened]   
 
 jobs:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,28 +16,34 @@ jobs:
     - run: docker push ${{secrets.DOCKERHUB_USERNAME}}/nest-demo-app
 
 
-  snyk_image_scanning:
-
+  snyk_image_scanning:    
+    permissions:
+       id-token: read
+       contents: read
+       packages: read
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the Docker image
-      run: docker build -t ${{secrets.DOCKERHUB_USERNAME}}/nest-demo-app .
-    - name: Run Snyk to check Docker image for vulnerabilities
-      # Snyk can be used to break the build when it detects vulnerabilities.
-      # In this case we want to upload the issues to GitHub Code Scanning
-      continue-on-error: true
-      uses: snyk/actions/docker@master
-      env:
-        # In order to use the Snyk Action you will need to have a Snyk API token.
-        # More details in https://github.com/snyk/actions#getting-your-snyk-token
-        # or you can signup for free at https://snyk.io/login
-        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      with:
-        image: ${{secrets.DOCKERHUB_USERNAME}}/nest-demo-app
-        args: --file=Dockerfile --exclude-base-image-vulns
-    - name: Upload result to GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@v1
-      with:
-        sarif_file: snyk.sarif
+          - name: Checkout 🛎️
+            uses: actions/checkout@v2
+
+          - name: Log in to the Container registry 📦
+            uses: docker/login-action@v2
+            with:
+              registry: ${{ env.GITHUB_REGISTRY }}
+              username: ${{ github.actor }}
+              password: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Scan Docker image 🐳
+            uses: snyk/actions/docker@master
+            continue-on-error: true
+            with:
+              image: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_REPOSITORY }}:${{ env.DOCKER_IMAGE_TAG }}
+              args: --file=Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
+            env:
+              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+          - name: Upload Snyk report as sarif 📦
+            uses: github/codeql-action/upload-sarif@v2
+            with:
+              sarif_file: snyk.sarif