From 6d01f3a1d4e91236e5caac268527fce9944e2ed8 Mon Sep 17 00:00:00 2001 From: David Burel Date: Thu, 1 May 2025 20:15:13 +0200 Subject: [PATCH 1/4] Add Snyk Container Scan workflow for Docker image security checks --- .github/workflows/snyk-container-scan.yml | 72 +++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/snyk-container-scan.yml diff --git a/.github/workflows/snyk-container-scan.yml b/.github/workflows/snyk-container-scan.yml new file mode 100644 index 0000000..d6857d0 --- /dev/null +++ b/.github/workflows/snyk-container-scan.yml @@ -0,0 +1,72 @@ +name: Snyk Container Scan + +# Controls when the workflow will run +on: + # This workflow uses the "workflow_call" event to allow it to be called from other workflows + workflow_call: + inputs: + working_directory: + required: false + type: string + default: "." + image_name: + required: true + type: string + default: "your/image-to-test" + +# Assign permissions for the workflow +permissions: + contents: read + +env: + wrk_dir: ${{ inputs.working_directory }} + img: ${{ inputs.image_name }} + +jobs: + security: + name: Snyk Container Scan + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@master + - name: Check directory + run: | + if [ ! -d "$WRK_DIR" ] + then + echo "Directory $WRK_DIR does not exist." + exit 1 + fi + shell: bash + env: + WRK_DIR: ${{ env.wrk_dir }} + - name: Check Dockerfile + run: | + if [ ! -f "$WRK_DIR/Dockerfile" ] + then + echo "Dockerfile not found in $WRK_DIR." + exit 1 + fi + shell: bash + env: + WRK_DIR: ${{ env.wrk_dir }} + - name: Check Docker image name + run: | + if [[ ! "$IMG" = =~ ^[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*(\/[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*)*$ ]] + then + echo "Image name is not correct." + exit 1 + fi + shell: bash + env: + IMG: ${{ env.img }} + - name: Build a Docker image + run: | + docker build -t $IMG $WRK_DIR + shell: bash + env: + IMG: ${{ env.img }} + WRK_DIR: ${{ env.wrk_dir }} From 84b37695580fcefc4506bf5197702a2e0a9bd0ae Mon Sep 17 00:00:00 2001 From: David Burel Date: Thu, 1 May 2025 20:44:22 +0200 Subject: [PATCH 2/4] Fix regex operator in Docker image name validation --- .github/workflows/snyk-container-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-container-scan.yml b/.github/workflows/snyk-container-scan.yml index d6857d0..292deb4 100644 --- a/.github/workflows/snyk-container-scan.yml +++ b/.github/workflows/snyk-container-scan.yml @@ -55,7 +55,7 @@ jobs: WRK_DIR: ${{ env.wrk_dir }} - name: Check Docker image name run: | - if [[ ! "$IMG" = =~ ^[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*(\/[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*)*$ ]] + if [[ ! "$IMG" =~ ^[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*(\/[a-zA-Z0-9]+(-[a-zA-Z0-9]+)*)*$ ]] then echo "Image name is not correct." exit 1 From 1b77191c28ff9cd316b5b3efa57d94fbbd1b44ec Mon Sep 17 00:00:00 2001 From: David Burel Date: Thu, 1 May 2025 20:51:32 +0200 Subject: [PATCH 3/4] Add Snyk vulnerability check and upload results to GitHub Code Scanning --- .github/workflows/snyk-container-scan.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/snyk-container-scan.yml b/.github/workflows/snyk-container-scan.yml index 292deb4..7b6718e 100644 --- a/.github/workflows/snyk-container-scan.yml +++ b/.github/workflows/snyk-container-scan.yml @@ -70,3 +70,21 @@ jobs: env: IMG: ${{ env.img }} WRK_DIR: ${{ env.wrk_dir }} + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@master + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token + # or you can sign up for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: ${{ env.img }} + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@main + with: + sarif_file: snyk.sarif + category: "snyk-container" From 1d85c4453a88f3f0d0f240ff2454f5f4b9f36dac Mon Sep 17 00:00:00 2001 From: David Burel Date: Thu, 1 May 2025 20:58:01 +0200 Subject: [PATCH 4/4] Update Snyk Code Scan and Container Scan workflows for improved SARIF upload handling --- .github/workflows/snyk-code-scan-python.yml | 2 +- .github/workflows/snyk-container-scan.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk-code-scan-python.yml b/.github/workflows/snyk-code-scan-python.yml index 021bb1f..fd38685 100644 --- a/.github/workflows/snyk-code-scan-python.yml +++ b/.github/workflows/snyk-code-scan-python.yml @@ -44,4 +44,4 @@ jobs: uses: github/codeql-action/upload-sarif@main with: sarif_file: snyk.sarif - category: "snyk" + category: "snyk-python" diff --git a/.github/workflows/snyk-container-scan.yml b/.github/workflows/snyk-container-scan.yml index 7b6718e..9fa2a76 100644 --- a/.github/workflows/snyk-container-scan.yml +++ b/.github/workflows/snyk-container-scan.yml @@ -82,8 +82,9 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: ${{ env.img }} - args: --file=Dockerfile + args: --file=${{ env.wrk_dir }}/Dockerfile - name: Upload result to GitHub Code Scanning + if: ${{ hashFiles('**/snyk.sarif') != '' }} uses: github/codeql-action/upload-sarif@main with: sarif_file: snyk.sarif