Add weekly Snyk Docker image scan to Github actions

RADAR-base · Feb 13, 2025 · da9c876 · da9c876
1 parent 7ad34b4
commit da9c876
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 10 deletions.
diff --git a/.github/workflows/scheduled-snyk-docker.yaml b/.github/workflows/scheduled-snyk-docker.yaml
@@ -0,0 +1,44 @@
+name: Snyk scheduled Docker image scan
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities on backend image
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: radarbase/radar-rest-source-auth-backend
+          args: --file=authorizer-app-backend/Dockerfile --org=radar-base --fail-on=upgradable --severity-threshold=high --policy-path=$PWD/.snyk --json-file-output=backend.json
+
+      - name: Run Snyk to check for vulnerabilities on frontend image
+        uses: snyk/actions/docker@master
+        env:
+            SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+            image: radarbase/radar-rest-source-authorizer
+            args: --file=authorizer-app/Dockerfile --org=radar-base --fail-on=upgradable --severity-threshold=high --policy-path=$PWD/.snyk --json-file-output=frontend.json
+
+      - name: Report new backend vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+            report-file: backend.json
+        env:
+            TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Report new frontend vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+            report-file: frontend.json
+        env:
+            TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
@@ -1,21 +1,15 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
     runs-on: ubuntu-latest
-    env:
-      REPORT_FILE: test.json
     steps:
       - uses: actions/checkout@v3
       - uses: snyk/actions/setup@master
-        with:
-          snyk-version: v1.1032.0
 
       - name: Use Node.js 16
         uses: actions/setup-node@v3
@@ -38,14 +32,14 @@ jobs:
           --all-projects
           --configuration-matching='^runtimeClasspath$'
           --fail-on=upgradable
-          --json-file-output=${{ env.REPORT_FILE }}
+          --json-file-output=snyk.json
           --org=radar-base
           --policy-path=$PWD/.snyk
 
       - name: Report new vulnerabilities
         uses: thehyve/report-vulnerability@master
         if: success() || failure()
         with:
-          report-file: ${{ env.REPORT_FILE }}
+          report-file: snyk.json
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}