Merge pull request #524 from RADAR-base/feature/snyk-docker-image-action

Add weekly Snyk Docker image scan to Github actions

Author: pvannierop

.github/workflows/main.yml

@@ -57,7 +57,7 @@ jobs:
 
       - name: Upload build artifacts
         if: always()
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           path: build/reports
           if-no-files-found: ignore

.github/workflows/scheduled-snyk-docker.yaml

@@ -0,0 +1,35 @@
+name: Snyk scheduled Docker image scan
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: radarbase/radar-appserver
+          args: |
+            --file=Dockerfile
+            --all-projects
+            --org=radar-base
+            --fail-on=upgradable
+            --severity-threshold=high
+            --json-file-output=snyk.json
+            --policy-path=$PWD/.snyk
+
+      - name: Report new vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+          report-file: snky.json
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scheduled-snyk.yaml

@@ -1,16 +1,13 @@
-name: Snyk scheduled test
+name: Snyk scheduled code base scan
 on:
   schedule:
     - cron: '0 2 * * 1'
-  push:
-    branches:
-      - master
+  workflow_dispatch:
 
 jobs:
   security:
     runs-on: ubuntu-latest
-    env:
-      REPORT_FILE: test.json
+
     steps:
       - uses: actions/checkout@v3
 
@@ -19,12 +16,19 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
+          args: |
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --org=radar-base
+            --fail-on=upgradable
+            --json-file-output=snyk.json
+            --severity-threshold=high
+            --policy-path=$PWD/.snyk
 
       - name: Report new vulnerabilities
         uses: thehyve/report-vulnerability@master
         if: success() || failure()
         with:
-          report-file: ${{ env.REPORT_FILE }}
+          report-file: snky.json
         env:
           TOKEN: ${{ secrets.GITHUB_TOKEN }}