--- # A workflow which checks out the code, builds a container # image using Docker and scans that image for vulnerabilities using # Snyk. The results are then uploaded to GitHub Security Code Scanning # # For more examples, including how to limit scans to only high-severity # issues, monitor images for newly disclosed vulnerabilities in Snyk and # fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ name: Snyk Container # yamllint disable-line rule:truthy on: schedule: # Run weekly on every Monday - cron: '0 0 * * 1' push: tags: - v* branches: - release-* permissions: contents: read jobs: snyk: if: github.repository == 'ceph/ceph-csi' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Build a Docker image run: make image-cephcsi - name: Run Snyk to check Docker image for vulnerabilities continue-on-error: true uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: quay.io/cephcsi/cephcsi:${{ github.base_ref }} args: --file=Dockerfilei - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif