Skip to content
Scan Docker images

Scan Docker images #568

Sign in to view logs

Scan Docker images

Scan Docker images #568

Workflow file for this run

.github/workflows/snyk-scan.yml at 7762085
# Snyk scanning steps are marked continue-on-error because there are often
# vulnerabilities that may have no possible remediation (e.g. glibc
# vulnerabilities in the Debian base). We want to be *informed* about the
# vulns, but we cannot have them be blockers to releasing images.
name: Scan Docker images
on:
workflow_dispatch: {}
schedule:
- cron: "0 0 * * *"
env:
DOCKER_ORG: pulumi
DISPATCH_REF: ${{ github.event.client_payload.ref }}
jobs:
kitchen-sink:
name: All SDKs images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
suffix: ["", "-nonroot"]
steps:
- uses: actions/checkout@master
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
args: --severity-threshold=high --file=docker/pulumi/Dockerfile
- name: Filter Sarif File
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit.
run: |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))'
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif
provider-build-environment:
name: Provider Build Environment
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64
args: --severity-threshold=high --file=docker/pulumi/Dockerfile
- name: Filter Sarif File
# GitHub Code Scanning does not allow more than 20 runs per file. We filter out empty runs to avoid this limit.
run: |
python -c 'import json; sarif = json.loads(open("snyk.sarif").read()); sarif["runs"] = [run for run in sarif["runs"] if len(run["results"]) > 0]; open("out.sarif", "w").write(json.dumps(sarif, indent=2))'
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out.sarif
base:
name: Base image
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: ["debian", "ubi"]
arch: ["arm64", "amd64"]
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }}
args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} --platform=linux/${{ matrix.arch }}
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
define-debian-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix
id: define-matrix
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT"
debian-sdk:
name: Debian SDK images
runs-on: ubuntu-latest
needs: define-debian-matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Set image name
run: |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMAGE_NAME }}
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }}
ubi-sdk:
name: UBI SDK images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
sdk: ["nodejs", "python", "dotnet", "go"]
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi --platform=linux/amd64