scan-container-for-vulnerabilities.yml

name: Scan Docker container for vulnerabilities

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

jobs:
  run-snyk:
    runs-on: ubuntu-latest
    steps:
      - name: Check for required secrets
        uses: actions/github-script@v4
        with:
          script: |
            const secrets = 
            {
              SNYK_TOKEN: `${{ secrets.SNYK_TOKEN }}`,
            };

            const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => 
            {
              if(value.length === 0) 
              {
                core.error(`Secret "${name}" is not set`);
              }
              else
              {
                core.info(`✔️ Secret "${name}" is set`);
              }
              
              return;
            });

            if(missingSecrets.length > 0) 
            {
              core.setFailed(`❌ At least one required secret is not set in the repository. \n`);
            }
            else 
            {
              core.info(`✅ All the required secrets are set`);
            }


      - name: Checkout repository
        uses: actions/checkout@v2
        
      - name: Build Docker Image	
        run: docker build -t backend .
      
      - name: Run Snyk to check Docker image for vulnerabilities
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: backend
          args: --file=Dockerfile 
                --severity-threshold=critical

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif