From 0623a0b23f22238749172a7ae3afd481da91bd94 Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 01:50:45 -0600 Subject: [PATCH 1/7] Create snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/snyk-container-analysis.yml diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml new file mode 100644 index 0000000..3a69988 --- /dev/null +++ b/.github/workflows/snyk-container-analysis.yml @@ -0,0 +1,43 @@ +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '33 18 * * 3' + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Build a Docker image + run: make build-all-nc + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@master + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif From db5957b12c81d3e9d936b5868cdc2c7b305d07b8 Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 02:57:09 -0600 Subject: [PATCH 2/7] Update snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index 3a69988..b90c74b 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -35,8 +35,7 @@ jobs: # or you can signup for free at https://snyk.io/login SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: your/image-to-test - args: --file=Dockerfile + image: xianpengshen/clang-tools:all - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v1 with: From fbb173b3c26075337cfeae2685b9608fc9df2e54 Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 05:22:01 -0600 Subject: [PATCH 3/7] Update snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index b90c74b..341a4f3 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -12,10 +12,7 @@ on: push: branches: [ master ] pull_request: - # The branches below must be a subset of the branches above branches: [ master ] - schedule: - - cron: '33 18 * * 3' jobs: snyk: @@ -36,6 +33,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: xianpengshen/clang-tools:all + args: --file=all/Dockerfile - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v1 with: From 3962e091474e6e8c1d681541c4f1a82b4dca8c24 Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 05:33:16 -0600 Subject: [PATCH 4/7] Update snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index 341a4f3..6af8fc5 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -18,13 +18,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Build a Docker image - run: make build-all-nc - name: Run Snyk to check Docker image for vulnerabilities - # Snyk can be used to break the build when it detects vulnerabilities. - # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true uses: snyk/actions/docker@master env: # In order to use the Snyk Action you will need to have a Snyk API token. From f1873f675fc60ef6b9246e4e1125c00f86be1072 Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 05:37:59 -0600 Subject: [PATCH 5/7] Update snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index 6af8fc5..f9d273b 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -18,6 +18,7 @@ jobs: snyk: runs-on: ubuntu-latest steps: + - uses: actions/checkout@v2 - name: Run Snyk to check Docker image for vulnerabilities uses: snyk/actions/docker@master env: From 5ddd9df9654e01f3ef5731c5ac9f04cb352b0154 Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 05:43:56 -0600 Subject: [PATCH 6/7] Update snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index f9d273b..85eb840 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -28,7 +28,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: xianpengshen/clang-tools:all - args: --file=all/Dockerfile + args: --severity-threshold=high --file=all/Dockerfile - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v1 with: From bc5c15e34ccfe5684930c8fba838960bb8836dca Mon Sep 17 00:00:00 2001 From: Peter Shen Date: Sat, 6 Nov 2021 05:47:06 -0600 Subject: [PATCH 7/7] Update snyk-container-analysis.yml --- .github/workflows/snyk-container-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/snyk-container-analysis.yml b/.github/workflows/snyk-container-analysis.yml index 85eb840..fd0cb3e 100644 --- a/.github/workflows/snyk-container-analysis.yml +++ b/.github/workflows/snyk-container-analysis.yml @@ -20,6 +20,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Run Snyk to check Docker image for vulnerabilities + continue-on-error: true uses: snyk/actions/docker@master env: # In order to use the Snyk Action you will need to have a Snyk API token.