Skip to content

Attempt to fix up sarif. #8

Attempt to fix up sarif.

Attempt to fix up sarif. #8

Workflow file for this run

## Scan a docker image -> get a SARIF/SBOM report
name: SCA/Snyk
on:
workflow_dispatch:
inputs:
docker_image:
description: 'The Docker image to scan'
required: true
default: 'appsecco/dvna:sqlite'
# env:
# REGISTRY: ghcr.io
# IMAGE_NAME: ${{ github.repository }}
# SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
snyk:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
## Optional: login if your image is private
# - name: Login to Dockerhub
# uses: docker/login-action@v3
# with:
# username: ${{ secrets.DOCKERHUB_USERNAME }}
# password: ${{ secrets.DOCKERHUB_TOKEN }}
# - name: Login to GHCR
# uses: docker/login-action@v3
# with:
# registry: ${{ env.REGISTRY }}
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# Pull the github input image or use the default
- name: Pull the image
run: docker pull ${{ github.event.inputs.docker_image }}
- name: Generate dockerfile to enable Snyk scan
run: echo "FROM ${{ github.event.inputs.docker_image }}" > Dockerfile
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ github.event.inputs.docker_image }}
args: --file=Dockerfile --sarif
- name: Upload SARIF file as an artifact
uses: actions/upload-artifact@v4
with:
name: sca_snyk.sarif
path: snyk.sarif
- name: Normalize SARIF security scores (avoid "null")
run: sed -i 's/"security-severity": "null"/"security-severity": "1"/g' snyk.sarif

Check failure on line 70 in .github/workflows/sca_snyk.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/sca_snyk.yml

Invalid workflow file

You have an error in your yaml syntax on line 70
- name: Run the Anchore Syft sbom action
uses: anchore/sbom-action@v0
id: syft
with:
image: ${{ github.event.inputs.docker_image }}
format: spdx-json
output-file: sbom_anchore.spdx.json
upload-artifact: false
- name: Upload SBOM file as an artifact
uses: actions/upload-artifact@v4
with:
name: sbom_anchore.spdx.json
path: sbom_anchore.spdx.json
# Only available on Github Enterprise or public repositories
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
category: Security/SCA
- name: SBOM upload
uses: advanced-security/[email protected]