-
Notifications
You must be signed in to change notification settings - Fork 185
66 lines (63 loc) · 1.81 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Security Scan
on:
push:
branches:
- master
- release/*
schedule:
- cron: "23 18 * * *"
workflow_dispatch:
jobs:
scan-code:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Security Scan
uses: snyk/actions/python-3.10@master
continue-on-error: true
with:
args: --fail-on=upgradable
--severity-threshold=high
--all-projects
--exclude=tests,docs
--sarif-file-output=snyk-code.sarif
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
scan-image:
runs-on: ubuntu-latest
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@master
with:
remove-dotnet: "true"
remove-haskell: "true"
remove-android: "true"
root-reserve-mb: "30720"
- uses: actions/checkout@v3
- name: Build Docker Image
run: |
DOCKER_BUILDKIT=1 docker build . \
--build-arg RUNTIMES=all \
-t $MLSERVER_IMAGE
env:
MLSERVER_IMAGE: seldonio/mlserver:${{ github.sha }}
- name: Scan Docker Image
uses: snyk/actions/docker@master
continue-on-error: true
with:
image: seldonio/mlserver:${{ github.sha }}
args: --fail-on=upgradable
--severity-threshold=high
--app-vulns
--file=Dockerfile
--policy-path=.snyk
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif