Skip to content

fix: Dockerfile to reduce vulnerabilities #202

fix: Dockerfile to reduce vulnerabilities

fix: Dockerfile to reduce vulnerabilities #202

name: Snyk SAST and SCA Scan
on: push
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Run Snyk Code Test for SAST
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }}
with:
command: code test --sarif-file-output=snyk-code.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-code.sarif
- name: Monitor SAST results with Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }}
with:
command: monitor
- name: Run Snyk to check for SCA vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }}
with:
command: test --sarif-file-output=snyk-dependency.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk-dependency.sarif
- name: Monitor dependencies with Snyk
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }}
with:
command: monitor
- name: Total SAST security issues
run: |
length=$(cat snyk-code.sarif | jq '.runs[0].results | length')
echo "RESULTS_LENGTH=$length" >> $GITHUB_ENV
- name: Send SAST notification on Slack using Webhooks
uses: slackapi/slack-github-action@v1.24.0
if: always()
with:
payload: |
{
"text": "*The Snyk SAST scan result for repo nodejs-goof-BC is : ${{ job.status }}* \n*Number of vulnerabilities : ${{ env.RESULTS_LENGTH }}* \n*Detail*: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
- name: Total SCA security issues
run: |
length=$(cat snyk-dependency.sarif | jq '.runs[0].results | length')
echo "RESULTS_LENGTH_2=$length" >> $GITHUB_ENV
- name: Send SCA notification on Slack using Webhooks
uses: slackapi/slack-github-action@v1.24.0
if: always()
with:
payload: |
{
"text": "*The Snyk SCA scan result for repo nodejs-goof-BC is : ${{ job.status }}* \n*Number of vulnerabilities : ${{ env.RESULTS_LENGTH_2 }}* \n*Detail*: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}