f

.github/workflows/snyk-scan.yml

@@ -19,13 +19,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image: ["pulumi", "pulumi-provider-build-environment"]
-        include:
-          # For the pulumi image add a the nonroot variant
-          - suffix: -nonroot
-            image: pulumi
-          - suffix: ""
-            image: pulumi
+        suffix: ["", "-nonroot"]
     steps:
       - uses: actions/checkout@master
       - name: Set version
@@ -37,7 +31,28 @@ jobs:
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          image: ${{ env.DOCKER_ORG }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
+          image: ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
+          args: --severity-threshold=high --file=docker/pulumi/Dockerfile
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
+
+  provider-build-environment:
+    name: All SDKs images
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Set version
+        run: |
+          [ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
+      - name: Snyk scan
+        continue-on-error: true
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64
           args: --severity-threshold=high --file=docker/pulumi/Dockerfile
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@v3