Add weekly Snyk Docker image scan to Github actions

Author: pvannierop

.github/workflows/scheduled-snyk-docker.yaml

@@ -0,0 +1,37 @@
+name: Snyk scheduled Docker base image scan
+
+on:
+  schedule:
+    - cron: '0 3 * * 1'
+  workflow_dispatch:
+
+env:
+    DOCKER_IMAGE: radarbase/radar-backend
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_IMAGE }}
+          args: >-
+            --file=Dockerfile
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --exclude-app-vulns
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload Fitbit result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif

.github/workflows/scheduled-snyk.yaml

@@ -0,0 +1,38 @@
+name: Snyk scheduled code base scan
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node
+        with:
+          node-version: 16
+          cache: npm
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching='^runtimeClasspath$'
+            --fail-on=upgradable
+            --severity-threshold=high
+            --policy-path=.snyk
+            --org=radar-base
+            --sarif-file-output=snyk.sarif
+
+      # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif

.github/workflows/snyk.yaml

@@ -0,0 +1,27 @@
+name: Snyk test on PR commits
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - release-*
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: >-
+            --all-projects
+            --configuration-matching="^runtimeClasspath$"
+            --severity-threshold=high
+            --fail-on=upgradable
+            --org=radar-base
+            --policy-path=.snyk

.snyk

@@ -0,0 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}