Added Snyk container scanning

wiremock · Jun 5, 2024 · f2182c4 · f2182c4
1 parent 569fbda
commit f2182c4
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -69,3 +69,9 @@ jobs:
       - name: Run integration test
         working-directory: test/integration-tests
         run: mvn -B -ntp package verify --file pom.xml -DargLine="-Dit.wiremock-image=${{ matrix.versions.TAGS[0] }}"
+
+  container-image-scan:
+    uses: ./.github/workflows/container-image-scan.yml
+    with:
+      image_version: latest
+    secrets: inherit
diff --git a/.github/workflows/container-image-scan.yml b/.github/workflows/container-image-scan.yml
@@ -0,0 +1,37 @@
+name: Container image scan (reusable)
+
+on:
+  workflow_call:
+
+jobs:
+  container-image-scan:
+    name: Snyk container image scan
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        image:
+          - ghcr.io/wiremock/wiremock:${{ inputs.image_version }}
+          - ghcr.io/wiremock/wiremock:${{ inputs.image_version }}-alpine
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: wiremock
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull image to check we've got it
+        run: docker pull ${{ matrix.image }}
+
+      - name: Run Snyk to check Docker image for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ matrix.image }}
+          command: test
+          args: --file=Dockerfile --severity-threshold=high --fail-on=upgradable --org=f310ee2f-5552-444d-84ee-ec8c44c33adb
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,7 +10,7 @@ on:
       bundled-version:
         description: 'Bundled WireMock version'
         required: true
-        default: 3.0.1
+        default: 3.6.0
 
 jobs:
 
@@ -97,6 +97,14 @@ jobs:
           build-args: |
             "WIREMOCK_VERSION=${{ github.event.inputs.bundled-version }}"
 
+  container-image-scan:
+    uses: ./.github/workflows/container-image-scan.yml
+    needs: [check-new-version]
+    if: needs.check-new-version.outputs.new_version
+    with:
+      image_version: ${{ needs.check-new-version.outputs.new_version }}
+    secrets: inherit
+
   release:
     runs-on: ubuntu-latest
     needs: [docker-build-push, check-new-version]
@@ -136,3 +144,29 @@ jobs:
         with:
           tag_name: ${{ needs.check-new-version.outputs.new_version }}
 
+  container-image-monitor:
+    name: Snyk container image monitoring
+    runs-on: ubuntu-latest
+    needs: [check-new-version, release]
+
+    if: needs.check-new-version.outputs.new_version
+    strategy:
+      matrix:
+        image:
+          - wiremock/wiremock:${{ needs.check-new-version.outputs.new_version }}
+          - wiremock/wiremock:${{ needs.check-new-version.outputs.new_version }}-alpine
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Pull image to check we've got it
+        run: docker pull ${{ matrix.image }}
+
+      - name: Run Snyk to monitor Docker image for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ matrix.image }}
+          command: monitor
+          args: --file=Dockerfile --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --project-name=wiremock-docker