Skip to content

Commit

Permalink
setup synk security scan for maven, iac, and Dockerfile #3020
Browse files Browse the repository at this point in the history
  • Loading branch information
@yurake
yurake committed Feb 8, 2023
1 parent af165e4 commit f1ce8f6
Show file tree
Hide file tree
Showing 2 changed files with 124 additions and 11 deletions.
108 changes: 108 additions & 0 deletions .github/workflows/docker-image-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - nginx
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/nginx
- name: Upload result to GitHub Code Scanning - nginx
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - mysql
uses: docker/build-push-action@v4
with:
Expand All @@ -82,6 +94,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - mysql
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/mysql
- name: Upload result to GitHub Code Scanning - mysql
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - postgres
uses: docker/build-push-action@v4
with:
Expand All @@ -94,6 +118,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - postgres
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/postgres
- name: Upload result to GitHub Code Scanning - postgres
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - mongodb
uses: docker/build-push-action@v4
with:
Expand All @@ -106,6 +142,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - mongodb
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/mongodb
- name: Upload result to GitHub Code Scanning - mongodb
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - cassandra
uses: docker/build-push-action@v4
with:
Expand All @@ -118,6 +166,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - cassandra
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/cassandra
- name: Upload result to GitHub Code Scanning - cassandra
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - rabbitmq
uses: docker/build-push-action@v4
with:
Expand All @@ -130,6 +190,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - rabbitmq
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/rabbitmq
- name: Upload result to GitHub Code Scanning - rabbitmq
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - jenkins
uses: docker/build-push-action@v4
with:
Expand All @@ -142,6 +214,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - jenkins
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/jenkins
- name: Upload result to GitHub Code Scanning - jenkins
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - ab
uses: docker/build-push-action@v4
with:
Expand All @@ -154,6 +238,18 @@ jobs:
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - ab
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/ab
- name: Upload result to GitHub Code Scanning - ab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif

- name: Build and push - postmannewman-quarkus
uses: docker/build-push-action@v4
with:
Expand All @@ -165,3 +261,15 @@ jobs:
BUILD_DATE=${BUILD_DATE}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache

- name: Run Snyk to check Docker image for vulnerabilities - postmannewman-quarkus
continue-on-error: true
uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ secrets.DOCKERHUB_USER }}/postmannewman-quarkus
- name: Upload result to GitHub Code Scanning - postmannewman-quarkus
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
27 changes: 16 additions & 11 deletions .github/workflows/snyk-infrastructure.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,29 +23,34 @@ permissions:
contents: read

jobs:
snyk:
snyk-iac:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
snyk-maven:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
continue-on-error: true
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
args: --sarif-file-output=snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
Expand Down

0 comments on commit f1ce8f6

Please sign in to comment.