@@ -121,53 +121,57 @@ jobs:
121121 run --rm ${{ env.IMAGE_NAME }}-test
122122 make test
123123
124- security :
125- name : " Snyk Container"
126- runs-on : ubuntu-24.04
127- needs : build
128- permissions :
129- actions : read
130- contents : read
131- security-events : write
132- steps :
133- - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
134- - name : Download artifact
135- uses : actions/download-artifact@v4
136- with :
137- name : ${{ env.ARTIFACT_NAME }}_prod
138- path : /tmp/
139124
140- - name : Load image
141- run : |
142- docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
143- docker image ls -a
125+ # yamllint disable rule:line-length
126+ # security:
127+ # name: "Snyk Container"
128+ # runs-on: ubuntu-24.04
129+ # needs: build
130+ # permissions:
131+ # actions: read
132+ # contents: read
133+ # security-events: write
134+ # steps:
135+ # - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
136+ # - name: Download artifact
137+ # uses: actions/download-artifact@v4
138+ # with:
139+ # name: ${{ env.ARTIFACT_NAME }}_prod
140+ # path: /tmp/
141+
142+ # - name: Load image
143+ # run: |
144+ # docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
145+ # docker image ls -a
146+
147+ # - name: Run Snyk to check Docker image for vulnerabilities
148+ # # Snyk can be used to break the build when it detects vulnerabilities.
149+ # # In this case we want to upload the issues to GitHub Code Scanning
150+ # continue-on-error: true
151+ # uses: snyk/actions/docker@master
152+ # env:
153+ # # yamllint disable rule:line-length
154+ # # In order to use the Snyk Action you will need to have a Snyk API token.
155+ # # See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token
156+ # # or you can sign up for free at https://snyk.io/login
157+ # # yamllint enable rule:line-length
158+ # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
159+ # with:
160+ # image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
161+ # args: --file=Dockerfile
162+ # # yamllint disable rule:line-length
163+ # # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
164+ # - name: Replace security-severity undefined for license-related findings
165+ # run: |
166+ # sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
167+ # sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
168+ # # yamllint enable rule:line-length
169+ # - name: Upload result to GitHub Code Scanning
170+ # uses: github/codeql-action/upload-sarif@v3
171+ # with:
172+ # sarif_file: 'snyk.sarif'
173+ # yamllint enable rule:line-length
144174
145- name : Run Snyk to check Docker image for vulnerabilities
146- # Snyk can be used to break the build when it detects vulnerabilities.
147- # In this case we want to upload the issues to GitHub Code Scanning
148- continue-on-error : true
149- uses : snyk/actions/docker@master
150- env :
151- # yamllint disable rule:line-length
152- # In order to use the Snyk Action you will need to have a Snyk API token.
153- # See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token
154- # or you can sign up for free at https://snyk.io/login
155- # yamllint enable rule:line-length
156- SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
157- with :
158- image : ${{ env.IMAGE_NAME }}:${{ github.sha }}
159- args : --file=Dockerfile
160- # yamllint disable rule:line-length
161- # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
162- - name : Replace security-severity undefined for license-related findings
163- run : |
164- sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
165- sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
166- # yamllint enable rule:line-length
167- - name : Upload result to GitHub Code Scanning
168- uses : github/codeql-action/upload-sarif@v3
169- with :
170- sarif_file : ' snyk.sarif'
171175 scan :
172176 name : " Trivy"
173177 runs-on : ubuntu-24.04
0 commit comments