mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-09 16:00:22 +00:00
ci: add snyk for container image
adding a github action to do security scanning for the cephcsi container image Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
parent
6b3665b80c
commit
63f48874ad
43
.github/workflows/snyk-container-image.yaml
vendored
Normal file
43
.github/workflows/snyk-container-image.yaml
vendored
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
# A workflow which checks out the code, builds a container
|
||||
# image using Docker and scans that image for vulnerabilities using
|
||||
# Snyk. The results are then uploaded to GitHub Security Code Scanning
|
||||
#
|
||||
# For more examples, including how to limit scans to only high-severity
|
||||
# issues, monitor images for newly disclosed vulnerabilities in Snyk and
|
||||
# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
|
||||
name: Snyk Container
|
||||
# yamllint disable-line rule:truthy
|
||||
on:
|
||||
schedule:
|
||||
# Run weekly on every Monday
|
||||
- cron: '0 0 * * 1'
|
||||
push:
|
||||
tags:
|
||||
- v*
|
||||
branches:
|
||||
- release-*
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
snyk:
|
||||
if: github.repository == 'ceph/ceph-csi'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Build a Docker image
|
||||
run: make image-cephcsi
|
||||
- name: Run Snyk to check Docker image for vulnerabilities
|
||||
continue-on-error: true
|
||||
uses: snyk/actions/docker@master
|
||||
env:
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
with:
|
||||
image: quay.io/cephcsi/cephcsi:${{ github.base_ref }}
|
||||
args: --file=Dockerfilei
|
||||
- name: Upload result to GitHub Code Scanning
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: snyk.sarif
|
Loading…
Reference in New Issue
Block a user