Merge pull request #288 from N5GEH/20-security-scan-of-the-image

20 security scan of the image

.github/workflows/snyk-scan.yml

@@ -0,0 +1,41 @@
+name: Snyk Container Scan
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3  # Using the latest version
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3  # Using the latest version
+
+    - name: Build API image
+      run: docker build -t n5gehtoolsmqtt-gateway-api:latest -f ./backend/api/Dockerfile .
+
+    - name: Build Gateway image
+      run: docker build -t n5gehtoolsmqtt-gateway-gateway:latest -f ./backend/gateway/Dockerfile .
+
+    - name: Snyk Scan API image
+      uses: snyk/actions/docker@master
+      with:
+        image: 'n5gehtoolsmqtt-gateway-api:latest'
+        args: '--severity-threshold=high'
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      continue-on-error: true
+
+    - name: Snyk Scan Gateway image
+      uses: snyk/actions/docker@master
+      with:
+        image: 'n5gehtoolsmqtt-gateway-gateway:latest'
+        args: '--severity-threshold=high'
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      continue-on-error: true

Snyk/README.md

@@ -0,0 +1,52 @@
+# Snyk Container Image Scanning
+
+## Overview
+
+This repository contains a script to scan all active Docker images for vulnerabilities using Snyk. The results of the scan are stored in individual Markdown files within the `scan_results` directory.
+
+## Prerequisites
+
+- Ensure Docker is installed and running on your system.
+
+- Ensure Snyk CLI is installed. You can install it using npm:
+  ```commandline
+  npm install -g snyk 
+  ```
+
+- Authenticate Snyk CLI using your Snyk API token:
+  ```commandline
+  snyk auth YOUR_SNYK_API_TOKEN
+  ```
+
+## Running the script
+
+- Clone the repository (if you haven't already):
+    ```commandline
+    git clone https://github.com/N5GEH/n5geh.tools.mqtt-gateway.git
+    cd n5geh.tools.mqtt-gateway/
+    ```
+- The repository contains a `docker-compose.yml` file that can be used to start building the image and then start the gateway services.
+    The gateway can be started with the following command:
+
+    ```commandline
+    cd fiware-environment
+    docker compose pull
+    docker compose up -d
+
+    cd..
+
+    cd n5geh.tools.mqtt-gateway/
+    docker compose build
+    docker compose up -d
+    ```
+
+- Navigate to the Snyk directory:
+    ```commandline
+    cd Snyk
+    ```
+- Set permissions and run the script:
+    ```commandline
+    chmod +x scan.sh
+    ./scan.sh
+    ```
+- The script will create a scan_results directory and store the results of the scans for each active Docker image in separate Markdown files.

Snyk/scan.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Create a directory for the scan results
+results_dir="scan_results"
+mkdir -p $results_dir
+
+# Get a list of active Docker images
+images=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "<none>:<none>")
+
+# Scan each image and save the result to a separate file
+for image in $images
+do
+    # Create a valid filename by replacing ":" with "_" and "/" with "_"
+    filename=$(echo "$image" | tr ':/' '__')
+
+    # Define the output file path
+    output_file="$results_dir/${filename}.md"
+
+    # Ensure the directory exists
+    mkdir -p "$(dirname "$output_file")"
+
+    # Scan the image and save the result
+    echo "Scanning $image..."
+    echo "**Scanning $image**" > $output_file
+    echo '```' >> $output_file
+    snyk container test $image >> $output_file
+    echo '```' >> $output_file
+done