|
6 | 6 | workflow_dispatch: |
7 | 7 |
|
8 | 8 | env: |
9 | | - DOCKER_IMAGE_FITBIT: radarbase/kafka-connect-rest-fitbit-source |
10 | | - DOCKER_IMAGE_OURA: radarbase/kafka-connect-rest-oura-source |
| 9 | + REGISTRY: ghcr.io |
| 10 | + REPOSITORY: ${{ github.repository }} |
| 11 | + IMAGES: >- |
| 12 | + [{ |
| 13 | + 'name': 'kafka-connect-fitbit-source', |
| 14 | + 'build_file': 'kafka-connect-fitbit-source/Dockerfile', |
| 15 | + 'authors': 'Pim van Nierop <[email protected]>, Pauline Conde <[email protected]>', |
| 16 | + 'description': 'RADAR-base Fitbit connector application' |
| 17 | + },{ |
| 18 | + 'name': 'kafka-connect-oura-source', |
| 19 | + 'build_file': 'kafka-connect-oura-source/Dockerfile', |
| 20 | + 'authors': 'Pim van Nierop <[email protected]>, Pauline Conde <[email protected]>', |
| 21 | + 'description': 'RADAR-base Oura connector application' |
| 22 | + }] |
11 | 23 |
|
12 | 24 | jobs: |
| 25 | + prepare-matrix: |
| 26 | + name: Prepare Matrix Output |
| 27 | + permissions: {} |
| 28 | + runs-on: ubuntu-latest |
| 29 | + outputs: |
| 30 | + images: ${{ steps.step1.outputs.matrix }} |
| 31 | + steps: |
| 32 | + - name: Create Matrix Variable |
| 33 | + id: step1 |
| 34 | + run: echo "matrix=${{ env.IMAGES }}" >> $GITHUB_OUTPUT |
| 35 | + |
13 | 36 | security: |
| 37 | + needs: prepare-matrix |
14 | 38 | runs-on: ubuntu-latest |
| 39 | + strategy: |
| 40 | + matrix: |
| 41 | + image: ${{ fromJson(needs.prepare-matrix.outputs.images ) }} |
| 42 | + permissions: |
| 43 | + contents: read |
| 44 | + packages: write |
15 | 45 |
|
16 | 46 | steps: |
17 | 47 | - uses: actions/checkout@v3 |
18 | 48 |
|
19 | | - - name: Run Snyk to check for vulnerabilities on Fitbit image |
| 49 | + - name: Lowercase image name |
| 50 | + run: | |
| 51 | + echo "DOCKER_IMAGE=${REGISTRY}/${REPOSITORY,,}/${{ matrix.image.name }}" >>${GITHUB_ENV} |
| 52 | +
|
| 53 | + - name: Run Snyk to check for vulnerabilities |
20 | 54 | continue-on-error: true # To make sure that SARIF upload gets called |
21 | 55 | uses: snyk/actions/docker@master |
22 | 56 | env: |
23 | 57 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
24 | 58 | with: |
25 | | - image: ${{ env.DOCKER_IMAGE_FITBIT }} |
| 59 | + image: ${{ env.DOCKER_IMAGE }} |
26 | 60 | args: >- |
27 | | - --file=kafka-connect-fitbit-source/Dockerfile |
| 61 | + --file=${{ matrix.image.build_file }} |
28 | 62 | --fail-on=upgradable |
29 | 63 | --severity-threshold=high |
30 | 64 | --policy-path=.snyk |
31 | 65 | --exclude-app-vulns |
32 | 66 | --org=radar-base |
33 | | - --sarif-file-output=snyk.sarif |
| 67 | + --sarif-file-output=${{ matrix.image.name }}.sarif |
34 | 68 |
|
35 | 69 | # Detected vulnerabilities will appear on Github in Security->Code_scanning_alerts tab |
36 | | - - name: Upload Fitbit result to GitHub Code Scanning |
| 70 | + - name: Upload result to GitHub Code Scanning |
37 | 71 | uses: github/codeql-action/upload-sarif@v3 |
38 | 72 | with: |
39 | | - category: fitbit |
40 | 73 | sarif_file: snyk.sarif |
| 74 | + category: ${{ matrix.image.name }} |
41 | 75 |
|
42 | | - - name: Run Snyk to check for vulnerabilities on Oura image |
43 | | - continue-on-error: true # To make sure that SARIF upload gets called |
44 | | - uses: snyk/actions/docker@master |
45 | | - env: |
46 | | - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} |
47 | | - with: |
48 | | - image: ${{ env.DOCKER_IMAGE_OURA }} |
49 | | - args: >- |
50 | | - --file=kafka-connect-oura-source/Dockerfile |
51 | | - --fail-on=upgradable |
52 | | - --severity-threshold=high |
53 | | - --policy-path=.snyk |
54 | | - --exclude-app-vulns |
55 | | - --org=radar-base |
56 | | - --sarif-file-output=snyk.sarif |
57 | | -
|
58 | | - - name: Upload Oura result to GitHub Code Scanning |
59 | | - uses: github/codeql-action/upload-sarif@v3 |
60 | | - with: |
61 | | - category: oura |
62 | | - sarif_file: snyk.sarif |
|
0 commit comments