.github/workflows/docker_image_scan.yml
name: Scan docker image
on:
schedule:
- cron: '0 7 * * *'
jobs:
scan-docker-image:
runs-on: ubuntu-latest
name: Scan docker image
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build docker image
run: |
docker build \
--tag cccd:scan \
--file docker/Dockerfile .
- name: Scan docker image using snyk
id: image-scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: cccd:scan
args: --file=docker/Dockerfile
- name: Monitor docker image using snyk
id: image-monitor
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
image: cccd:scan
args: --file=docker/Dockerfile
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
- name: Slack notify failure
if: ${{ steps.image-scan.outcome == 'failure' }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_USERNAME: Snyk docker image scan
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: laa-cccd-alerts
SLACK_ICON_EMOJI: ':snyk:'
SLACK_COLOR: ${{ steps.image-scan.outcome }}
SLACK_TITLE: Scanned ${{ github.repository }}
SLACK_MESSAGE: docker scan detected vulnerabilites! @laa-claim-for-payment-devs
SLACK_LINK_NAMES: true
SLACK_FOOTER:
- name: Slack notify success
if: ${{ steps.image-scan.outcome == 'success' }}
uses: rtCamp/action-slack-notify@v2
env:
SLACK_USERNAME: Snyk docker image scan
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_CHANNEL: laa-claim-for-payment-development
SLACK_ICON_EMOJI: ':snyk:'
SLACK_COLOR: ${{ steps.image-scan.outcome }}
SLACK_TITLE: Scanned ${{ github.repository }}
SLACK_MESSAGE: docker scan found no vulnerabilites!
SLACK_FOOTER: