From 63f48874ad0baf2159a04e9fce3d96ba5d11f275 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Thu, 16 Nov 2023 08:42:16 +0100 Subject: [PATCH] ci: add snyk for container image adding a github action to do security scanning for the cephcsi container image Signed-off-by: Madhu Rajanna --- .github/workflows/snyk-container-image.yaml | 43 +++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/snyk-container-image.yaml diff --git a/.github/workflows/snyk-container-image.yaml b/.github/workflows/snyk-container-image.yaml new file mode 100644 index 000000000..bbe8b39a4 --- /dev/null +++ b/.github/workflows/snyk-container-image.yaml @@ -0,0 +1,43 @@ +--- +# A workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ +name: Snyk Container +# yamllint disable-line rule:truthy +on: + schedule: + # Run weekly on every Monday + - cron: '0 0 * * 1' + push: + tags: + - v* + branches: + - release-* + +permissions: + contents: read + +jobs: + snyk: + if: github.repository == 'ceph/ceph-csi' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Build a Docker image + run: make image-cephcsi + - name: Run Snyk to check Docker image for vulnerabilities + continue-on-error: true + uses: snyk/actions/docker@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: quay.io/cephcsi/cephcsi:${{ github.base_ref }} + args: --file=Dockerfilei + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif