Scan Docker images in Snyk Github action (close #131)

Note that even though we are already creating docker images in `ci.yml`, they are pushed to the remote registry only, and that is why here we additionally add a step to create local Docker images for the Snyk scan.
snowplow · Apr 4, 2023 · a009946 · a009946
1 parent 789fe22
commit a009946
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 20 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -137,3 +137,15 @@ jobs:
         platforms: linux/amd64,linux/arm64/v8
         tags: ${{ steps.meta-distroless.outputs.tags }}
         push: true
+    - name: Build local distroless image, which is needed to run Snyk
+      if: ${{ !contains(steps.ver.outputs.tag, 'rc') }}
+      run: sbt "project igluServerDistroless" docker:publishLocal
+    - name: Run Snyk to check for vulnerabilities
+      uses: snyk/actions/docker@master
+      if: ${{ !contains(steps.ver.outputs.tag, 'rc') }}
+      with:
+        image: "snowplow/iglu-server:${{ steps.ver.outputs.tag }}-distroless"
+        args: "--app-vulns --org=data-processing-new"
+        command: monitor
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml