fix: Dockerfile to reduce vulnerabilities #206
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Snyk SAST and SCA Scan | |
| on: push | |
| jobs: | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@master | |
| - name: Run Snyk Code Test for SAST | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }} | |
| with: | |
| command: code test --sarif-file-output=snyk-code.sarif | |
| - name: Upload result to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: snyk-code.sarif | |
| - name: Monitor SAST results with Snyk | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }} | |
| with: | |
| command: monitor | |
| - name: Run Snyk to check for SCA vulnerabilities | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }} | |
| with: | |
| command: test --sarif-file-output=snyk-dependency.sarif | |
| - name: Upload result to GitHub Code Scanning | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: snyk-dependency.sarif | |
| - name: Monitor dependencies with Snyk | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_2 }} | |
| with: | |
| command: monitor | |
| - name: Total SAST security issues | |
| run: | | |
| length=$(cat snyk-code.sarif | jq '.runs[0].results | length') | |
| echo "RESULTS_LENGTH=$length" >> $GITHUB_ENV | |
| - name: Send SAST notification on Slack using Webhooks | |
| uses: slackapi/slack-github-action@v1.24.0 | |
| if: always() | |
| with: | |
| payload: | | |
| { | |
| "text": "*The Snyk SAST scan result for repo nodejs-goof-BC is : ${{ job.status }}* \n*Number of vulnerabilities : ${{ env.RESULTS_LENGTH }}* \n*Detail*: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| - name: Total SCA security issues | |
| run: | | |
| length=$(cat snyk-dependency.sarif | jq '.runs[0].results | length') | |
| echo "RESULTS_LENGTH_2=$length" >> $GITHUB_ENV | |
| - name: Send SCA notification on Slack using Webhooks | |
| uses: slackapi/slack-github-action@v1.24.0 | |
| if: always() | |
| with: | |
| payload: | | |
| { | |
| "text": "*The Snyk SCA scan result for repo nodejs-goof-BC is : ${{ job.status }}* \n*Number of vulnerabilities : ${{ env.RESULTS_LENGTH_2 }}* \n*Detail*: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}" | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |