Skip to content

Merge pull request #624 from hms-dbmi/HYP-298 #442

Merge pull request #624 from hms-dbmi/HYP-298

Merge pull request #624 from hms-dbmi/HYP-298 #442

Workflow file for this run

name: Scan
on:
push:
branches: [ master, development ]
pull_request:
branches: [ master, development ]
schedule:
- cron: '0 12 * * 1' # runs at 12:00 UTC on Mondays
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
- name: Set image name
id: setimagename
run: |
echo "Image name: $GITHUB_REPOSITORY:$GITHUB_SHA"
echo "::set-output name=imagename::$GITHUB_REPOSITORY:$GITHUB_SHA"
- name: Build the image
id: buildimage
uses: docker/build-push-action@v2
with:
context: ./
file: ./Dockerfile
push: false
tags: ${{ steps.setimagename.outputs.imagename }}
- name: Check whether container scanning should be enabled
id: checkcontainerscanning
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
echo "Enable container scanning: ${{ env.SNYK_TOKEN != '' }}"
echo "::set-output name=enabled::${{ env.SNYK_TOKEN != '' }}"
- name: Run Snyk to check Docker image for vulnerabilities
uses: snyk/actions/docker@master
if: steps.checkcontainerscanning.outputs.enabled == 'true'
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ steps.setimagename.outputs.imagename }}
args: --file=Dockerfile
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v1
if: steps.checkcontainerscanning.outputs.enabled == 'true'
with:
sarif_file: snyk.sarif