Skip to content

Commit

Permalink
chore: add Snyk container scanner
Browse files Browse the repository at this point in the history
Signed-off-by: Jonathan Gonzalez V <[email protected]>
  • Loading branch information
sxd committed Nov 3, 2023
1 parent ab36107 commit 339f8b1
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ env:
permissions:
contents: write
packages: write
security-events: write

jobs:
build-and-publish:
Expand Down Expand Up @@ -79,6 +80,40 @@ jobs:
org.opencontainers.image.version=${{ env.PGBOUNCER_VERSION }}
org.opencontainers.image.revision=${{ env.RELEASE_VERSION }}
org.opencontainers.image.licenses=PostgreSQL
-
name: Build and push
uses: docker/build-push-action@v5
with:
platforms: ${{ env.PLATFORMS }}
context: .
push: false
load: true
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}

- name: Dockle scan
uses: erzz/dockle-action@v1
with:
image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ env.PGBOUNCER_VERSION}}"
exit-code: '1'
failure-threshold: WARN
accept-keywords: key
#accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key,usr/lib/python3.9/site-packages/azure/core/settings.py

- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ env.PGBOUNCER_VERSION}}"
args: --severity-threshold=high --file=${{ matrix.file }}

- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

-
name: Build and push
uses: docker/build-push-action@v5
Expand Down

0 comments on commit 339f8b1

Please sign in to comment.