Scan Docker images with Snyk in github action (close #346)

snowplow-incubator · Apr 3, 2023 · 8f7eff4 · 8f7eff4
1 parent b8a93c7
commit 8f7eff4
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 25 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -117,3 +117,16 @@ jobs:
           platforms: linux/amd64,linux/arm64/v8
           tags: ${{ steps.distroless-meta.outputs.tags }}
           push: true
+
+      - name: Build local distroless image, which is needed to run Snyk
+        if: ${{ !contains(github.ref_name, 'rc') }}
+        run: sbt "project ${{ matrix.app }}Distroless" docker:publishLocal
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        if: ${{ !contains(github.ref_name, 'rc') }}
+        with:
+          image: "snowplow/snowplow-bigquery-${{ matrix.app }}:${{ github.ref_name }}-distroless"
+          args: "--app-vulns --org=data-processing-new"
+          command: monitor
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml