Scan Docker images #344
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Snyk scanning steps are marked continue-on-error because there are often | |
# vulnerabilities that may have no possible remediation (e.g. glibc | |
# vulnerabilities in the Debian base). We want to be *informed* about the | |
# vulns, but we cannot have them be blockers to releasing images. | |
name: Scan Docker images | |
on: | |
workflow_dispatch: {} | |
schedule: | |
- cron: "0 0 * * *" | |
env: | |
DOCKER_ORG: pulumi | |
DISPATCH_REF: ${{ github.event.client_payload.ref }} | |
jobs: | |
kitchen-sink: | |
name: All SDKs images | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
image: ["pulumi", "pulumi-provider-build-environment"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }} | |
args: --severity-threshold=high --file=docker/pulumi/Dockerfile | |
base: | |
name: Base image | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os: ["debian", "ubi"] | |
arch: ["arm64", "amd64"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }} | |
args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }} | |
debian-sdk: | |
name: Debian SDK images | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
sdk: ["nodejs", "python", "dotnet", "go"] | |
arch: ["amd64", "arm64"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }} | |
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian | |
ubi-sdk: | |
name: UBI SDK images | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
sdk: ["nodejs", "python", "dotnet", "go"] | |
steps: | |
- uses: actions/checkout@master | |
- name: Set version | |
run: | | |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV | |
- name: Snyk scan | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi | |
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi |