Merge pull request #19 from Steavy/development

Next try with Snyk Docker image scanning
Steavy · Jan 30, 2024 · 8125082 · 8125082
2 parents 3257beb + 730e768
commit 8125082
Showing 1 changed file with 55 additions and 29 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,7 +2,7 @@ name: Release
 
 on:
   push:
-    branches: [ main ] 
+    branches: [ main, development ] 
 
 jobs:
   deploy:
@@ -17,33 +17,59 @@ jobs:
 
 
   snyk_image_scanning:    
-    permissions:
-       id-token: read
-       contents: read
-       packages: read
+   # permissions:
+   #    id-token: read
+   #    contents: read
+   #    packages: read
     runs-on: ubuntu-latest
-    
+
     steps:
-          - name: Checkout 🛎️
-            uses: actions/checkout@v2
-
-          - name: Log in to the Container registry 📦
-            uses: docker/login-action@v2
-            with:
-              registry: ${{ env.GITHUB_REGISTRY }}
-              username: ${{ github.actor }}
-              password: ${{ secrets.GITHUB_TOKEN }}
-
-          - name: Scan Docker image 🐳
-            uses: snyk/actions/docker@master
-            continue-on-error: true
-            with:
-              image: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_REPOSITORY }}:${{ env.DOCKER_IMAGE_TAG }}
-              args: --file=Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
-            env:
-              SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-
-          - name: Upload Snyk report as sarif 📦
-            uses: github/codeql-action/upload-sarif@v2
-            with:
-              sarif_file: snyk.sarif
+    - uses: actions/checkout@v2
+    - name: Build the Docker image
+      run: docker build -t ${{secrets.DOCKERHUB_USERNAME}}/nest-demo-app .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        # In order to use the Snyk Action you will need to have a Snyk API token.
+        # More details in https://github.com/snyk/actions#getting-your-snyk-token
+        # or you can signup for free at https://snyk.io/login
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: ${{secrets.DOCKERHUB_USERNAME}}/nest-demo-app
+        args: --file=Dockerfile --exclude-base-image-vulns
+    #- name: Upload result to GitHub Code Scanning
+    #  uses: github/codeql-action/upload-sarif@v1
+     # with:
+      #  sarif_file: snyk.sarif
+    - name: Upload Snyk report as sarif 📦
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: snyk.sarif
+
+   # steps:
+   #       - name: Checkout 🛎️
+    #        uses: actions/checkout@v2
+
+   #       - name: Log in to the Container registry 📦
+   #         uses: docker/login-action@v2
+   #         with:
+   #           registry: ${{ env.GITHUB_REGISTRY }}
+   #           username: ${{ github.actor }}
+   #           password: ${{ secrets.GITHUB_TOKEN }}
+
+    #      - name: Scan Docker image 🐳
+    #        uses: snyk/actions/docker@master
+    #        continue-on-error: true
+     #       with:
+     #         image: ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_REPOSITORY }}:${{ env.DOCKER_IMAGE_TAG }}
+     #         args: --file=Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif
+    #        env:
+     #         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      #    - name: Upload Snyk report as sarif 📦
+      #      uses: github/codeql-action/upload-sarif@v2
+      #      with:
+       #       sarif_file: snyk.sarif