shared-github-actions/.github/actions/docker-security-scan/action.yml at 9ffc3740d59e8c4373766b832081e8e830672b15 · pexip/shared-github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Security scan a docker image
description: Security scans a docker image using Snyk
author: "havard.bakke@pexip.com"

inputs:
  image:
    required: true
    description: Name of docker image to scan
  dockerfile:
    required: true
    default: ./Dockerfile
    description: The docker file used when building the image
  snyk_platform:
    required: false
    default: linux/amd64
    description: Docker image platform to scan
  snyk_token:
    required: false
    description: A token used by Snyk to scan docker image for vulnerabilities
  snyk_threshold:
    required: false
    default: medium
    description: Snyk severity threshold
runs:
  using: "composite"
  steps:
    - name: Setup gcloud SDK
      uses: google-github-actions/setup-gcloud@v2

    - name: Setup Snyk
      id: snyk-setup
      if: ${{ inputs.snyk_token != '' }}
      uses: snyk/actions/setup@master

    - name: Security scan docker image
      id: snyk
      if: ${{ inputs.snyk_token != '' }}
      shell: bash
      env:
        SNYK_TOKEN: ${{ inputs.SNYK_TOKEN }}
      run: |
        snyk container test ${{ inputs.image }} --platform=${{ inputs.snyk_platform }} --severity-threshold=${{ inputs.snyk_threshold }} --file=${{ inputs.dockerfile }}