diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 8e39c8cc4..7664e0b4b 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -70,6 +70,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - nginx + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/nginx + - name: Upload result to GitHub Code Scanning - nginx + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - mysql uses: docker/build-push-action@v4 with: @@ -82,6 +94,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - mysql + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/mysql + - name: Upload result to GitHub Code Scanning - mysql + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - postgres uses: docker/build-push-action@v4 with: @@ -94,6 +118,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - postgres + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/postgres + - name: Upload result to GitHub Code Scanning - postgres + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - mongodb uses: docker/build-push-action@v4 with: @@ -106,6 +142,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - mongodb + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/mongodb + - name: Upload result to GitHub Code Scanning - mongodb + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - cassandra uses: docker/build-push-action@v4 with: @@ -118,6 +166,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - cassandra + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/cassandra + - name: Upload result to GitHub Code Scanning - cassandra + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - rabbitmq uses: docker/build-push-action@v4 with: @@ -130,6 +190,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - rabbitmq + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/rabbitmq + - name: Upload result to GitHub Code Scanning - rabbitmq + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - jenkins uses: docker/build-push-action@v4 with: @@ -142,6 +214,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - jenkins + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/jenkins + - name: Upload result to GitHub Code Scanning - jenkins + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - ab uses: docker/build-push-action@v4 with: @@ -154,6 +238,18 @@ jobs: cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + - name: Run Snyk to check Docker image for vulnerabilities - ab + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/ab + - name: Upload result to GitHub Code Scanning - ab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + - name: Build and push - postmannewman-quarkus uses: docker/build-push-action@v4 with: @@ -165,3 +261,15 @@ jobs: BUILD_DATE=${BUILD_DATE} cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache + + - name: Run Snyk to check Docker image for vulnerabilities - postmannewman-quarkus + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ secrets.DOCKERHUB_USER }}/postmannewman-quarkus + - name: Upload result to GitHub Code Scanning - postmannewman-quarkus + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif diff --git a/.github/workflows/snyk-infrastructure.yml b/.github/workflows/snyk-infrastructure.yml index 6f05b13ab..3105cd334 100644 --- a/.github/workflows/snyk-infrastructure.yml +++ b/.github/workflows/snyk-infrastructure.yml @@ -23,7 +23,7 @@ permissions: contents: read jobs: - snyk: + snyk-iac: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -31,21 +31,26 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Run Snyk to check configuration files for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the issues to GitHub Code Scanning + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif + snyk-maven: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 + continue-on-error: true env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - # Add the path to the configuration file that you would like to test. - # For example `deployment.yaml` for a Kubernetes deployment manifest - # or `main.tf` for a Terraform configuration file - file: your-file-to-test.yaml + args: --sarif-file-output=snyk.sarif - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: