Merge dev to main

.github/actions/bake-test-push/action.yml

@@ -17,6 +17,10 @@ inputs:
     description: Flag to test image once built
     default: true
     type: boolean
+  scan-image:
+    description: Flag to scan image for vulnerabilities once built
+    default: true
+    type: boolean
   push-image:
     description: Flag to push image once built
     default: false
@@ -37,6 +41,14 @@ inputs:
     description: JSON for authenticating Google Cloud Platform
     default: ""
     type: string
+  snyk-org:
+    description: Organization ID for Snyk
+    default: ""
+    type: string
+  snyk-token:
+    description: Token for authenticating with Snyk
+    default: ""
+    type: string
 
 runs:
   using: "composite"
@@ -47,6 +59,13 @@ runs:
       env:
         GITHUB_TOKEN: ${{ inputs.ghcr-token }}
 
+    - uses: snyk/actions/setup@master
+
+    - name: Snyk auth
+      shell: bash
+      run: |
+        snyk auth ${{ inputs.snyk-token }}
+
     - uses: actions/setup-python@v5
       with:
         python-version: '3.12'
@@ -109,7 +128,30 @@ runs:
     - name: Test
       shell: bash
       run: |
-        just test "${{ inputs.target }}" "${{ inputs.bakefile }}"
+        if [[ "${{ inputs.test-image }}" == "true" ]]; then
+          just test "${{ inputs.target }}" "${{ inputs.bakefile }}"
+        fi
+
+    - name: Scan
+      continue-on-error: true
+      env:
+        SNYK_ORG: ${{ inputs.snyk-org }}
+      shell: bash
+      run: |
+        if [[ "${{ inputs.scan-image }}" == "true" ]]; then
+          if [[ "${{ inputs.push-image }}" == "true" ]]; then
+            just snyk-monitor "${{ inputs.target }}" "${{ inputs.bakefile }}"
+          else
+            just snyk-test "${{ inputs.target }}" "${{ inputs.bakefile }}"
+          fi
+        fi
+
+    - name: Upload results
+      uses: github/codeql-action/upload-sarif@v3
+      continue-on-error: true
+      with:
+          sarif_file: "container.sarif"
+          category: "${{ inputs.target }}-snyk-vulnerabilities"
 
     - name: Push - ${{ inputs.push-image }}
       uses: docker/bake-action@v4

.github/workflows/build-bake-preview.yaml

@@ -99,6 +99,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   connect-daily:
     needs: [versions]
@@ -137,6 +139,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   connect-content-init-daily:
     needs: [versions]
@@ -175,6 +179,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   package-manager-preview:
     needs: [versions]
@@ -213,6 +219,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   package-manager-daily:
     needs: [versions]
@@ -251,6 +259,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   r-session-complete-preview:
     needs: [versions]
@@ -289,6 +299,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   r-session-complete-daily:
     needs: [versions]
@@ -327,6 +339,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   workbench-preview:
     needs: [versions]
@@ -365,6 +379,8 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'
 
   workbench-daily:
     needs: [versions]
@@ -403,3 +419,5 @@ jobs:
           ghcr-token: ${{ secrets.GITHUB_TOKEN }}
           dockerhub-username: ${{ secrets.DOCKER_HUB_USERNAME }}
           dockerhub-token: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          snyk-org: ${{ secrets.SNYK_ORG }}
+          snyk-token: '${{ secrets.SNYK_TOKEN }}'