Secrets" /> Secrets" />

Docker – Automate Snyk Docker Image Scanning With GITHub Actions

Docker logo

Snyk is a great tool for vulnerability scanning, it’s included in Docker Desktops docker scan feature (10 “free” scans, then requires registration) and has it’s own CLI tools for code and container scanning. It is, also, available as a pipeline action. Here is how to use it with GITHub actions.

First, Create a secret on your GITHub project:

Skärmavbild 2022 10 10 kl. 21.55.59

Settings > Secrets > Actions

Name it SNYK_TOKEN

It can also be created with GitHUB CLI:

~$ gh secret set SNYK_TOKEN

Your SNYK_TOKEN is your AUTH TOKEN found in the Snyk User Dashboard.

Second, create a GitHUB actions file under .github/snyk.yml in your repo.


name: Snyk Container Scanning

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  snyk:
    name: Build and Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source Code
        uses: actions/checkout@v3
      
      - name: Build Docker Image
        run: docker build -t project:sec .

      - name: Run Snyk to check image for vulnerabilities
        continue-on-error: true
        uses: snyk/actions/docker@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: project:sec
          args: --file=Dockerfile
          
      - name: Report To GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif

This will, on push to/merge with main, build a new Docker image from your repo and scan it with Snyk. It will also report any found issues to GITHub Code Scanning, under the repos “Security” tab.

That’s a good scan, woof ?

Leave a Reply

Your email address will not be published. Required fields are marked *