Skip to content

Commit b4a1205

Browse files
committed
Pin versions by diggest and add comments
Signed-off-by: Jakub Stejskal <xstejs24@gmail.com> # Conflicts: # .github/workflows/test-integrations.yml
1 parent ad9b2a3 commit b4a1205

3 files changed

Lines changed: 36 additions & 25 deletions

File tree

.github/actions/security/snyk-container-scan/action.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ inputs:
1212
description: "Fail if any CVE has CVSS score above this value"
1313
required: false
1414
default: "8.0"
15-
monitor:
15+
snykMonitor:
1616
description: "Whether to also run 'snyk container monitor'"
1717
required: false
1818
default: "false"
@@ -28,7 +28,7 @@ runs:
2828
using: "composite"
2929
steps:
3030
- name: Setup Snyk CLI
31-
uses: snyk/actions/setup@master
31+
uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
3232

3333
- name: Load and scan image
3434
shell: bash
@@ -57,6 +57,9 @@ runs:
5757
--sarif-file-output="snyk-container-${IMAGE_NAME}.sarif" \
5858
--json-file-output="snyk-container-${IMAGE_NAME}.json"
5959
60+
# This is used to set severity score to 0.0 for those results that has empty value for it.
61+
# Empty value is not supported by GitHub Code Scanning page
62+
# It also set tool.driver.name to distinguish between different tools within UI (different tool = different image)
6063
- name: Sanitize SARIF security-severity values
6164
shell: bash
6265
env:
@@ -73,21 +76,22 @@ runs:
7376
fi
7477
7578
- name: Upload SARIF to GitHub Code Scanning
76-
uses: github/codeql-action/upload-sarif@v4
79+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
7780
if: ${{ always() && inputs.uploadToCodeScanning == 'true' }}
7881
with:
7982
sarif_file: snyk-container-${{ inputs.image }}.sarif
8083
category: snyk-container-${{ inputs.image }}
8184
wait-for-processing: true
8285

8386
- name: Upload SARIF as workflow artifact
84-
uses: actions/upload-artifact@v7
87+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
8588
if: always()
8689
with:
8790
name: snyk-container-sarif-${{ inputs.image }}
8891
path: snyk-container-${{ inputs.image }}.sarif
8992
retention-days: 30
9093

94+
# Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
9195
- name: Run Snyk monitor
9296
if: ${{ inputs.monitor == 'true' }}
9397
shell: bash

.github/actions/security/snyk-maven-scan/action.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ inputs:
66
description: "Fail if any CVE has CVSS score above this value"
77
required: false
88
default: "8.0"
9-
monitor:
9+
snykMonitor:
1010
description: "Whether to also run 'snyk monitor'"
1111
required: false
1212
default: "false"
@@ -22,7 +22,7 @@ runs:
2222
using: "composite"
2323
steps:
2424
- name: Setup Snyk CLI
25-
uses: snyk/actions/setup@master
25+
uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0
2626

2727
- name: Run Snyk test
2828
shell: bash
@@ -32,6 +32,8 @@ runs:
3232
--sarif-file-output=snyk-maven-${{ inputs.projectPrefix }}.sarif \
3333
--json-file-output=snyk-results.json
3434
35+
# This is used to set severity score to 0.0 for those results that has empty value for it.
36+
# Empty value is not supported by GitHub Code Scanning page
3537
- name: Sanitize SARIF security-severity values
3638
shell: bash
3739
run: |
@@ -44,21 +46,22 @@ runs:
4446
fi
4547
4648
- name: Upload SARIF to GitHub Code Scanning
47-
uses: github/codeql-action/upload-sarif@v4
49+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
4850
if: ${{ always() && inputs.uploadToCodeScanning == 'true' }}
4951
with:
5052
sarif_file: snyk-maven-${{ inputs.projectPrefix }}.sarif
5153
category: snyk-maven-${{ inputs.projectPrefix }}
5254
wait-for-processing: true
5355

5456
- name: Upload SARIF as workflow artifact
55-
uses: actions/upload-artifact@v7
57+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
5658
if: always()
5759
with:
5860
name: snyk-maven-${{ inputs.projectPrefix }}.sarif
5961
path: snyk-maven-${{ inputs.projectPrefix }}.sarif
6062
retention-days: 30
6163

64+
# Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
6265
- name: Run Snyk monitor
6366
if: ${{ inputs.monitor == 'true' }}
6467
shell: bash

.github/workflows/test-snyk.yml

Lines changed: 21 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,15 @@ jobs:
2323
timeout-minutes: 60
2424
steps:
2525
- name: Checkout github-actions
26-
uses: actions/checkout@v6
26+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
2727
with:
2828
ref: ${{ github.sha }}
2929

3030
- name: Checkout strimzi/drain-cleaner
31-
uses: actions/checkout@v6
31+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3232
with:
3333
repository: strimzi/drain-cleaner
34-
ref: main
34+
ref: 1.6.0
3535
path: drain-cleaner
3636

3737
- name: Copy drain-cleaner project to workspace root
@@ -44,7 +44,7 @@ jobs:
4444
uses: ./.github/actions/dependencies/install-yq
4545

4646
- name: Restore Maven cache
47-
uses: actions/cache/restore@v5
47+
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
4848
with:
4949
path: ~/.m2/repository
5050
key: maven-${{ hashFiles('**/pom.xml') }}
@@ -59,14 +59,16 @@ jobs:
5959
uses: ./.github/actions/security/snyk-maven-scan
6060
with:
6161
cvssThreshold: "99.0"
62-
monitor: "false"
62+
# Keep false to avoid uploading testing results to Snyk App
63+
snykMonitor: "false"
64+
# Keep false to avoid uploading results to GitHub Code Scanning page
65+
uploadToCodeScanning: "false"
6366
projectPrefix: test-drain-cleaner
64-
uploadToCodeScanning: "true"
6567
env:
6668
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
6769

6870
- name: Download SARIF artifact
69-
uses: actions/download-artifact@v7
71+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
7072
with:
7173
name: snyk-maven-test-drain-cleaner.sarif
7274
path: sarif-output
@@ -86,6 +88,8 @@ jobs:
8688
jq empty "$SARIF_FILE"
8789
echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)"
8890
91+
# Test workflow loads image artifacts from test-integrations workflow.
92+
# To avoid additional image build, the scan check will wait until integration workflow store the artifacts
8993
wait-for-container-artifact:
9094
name: Wait for Container Artifact
9195
runs-on: ubuntu-latest
@@ -95,7 +99,7 @@ jobs:
9599
steps:
96100
- name: Wait for container artifact
97101
id: find-build
98-
uses: actions/github-script@v9
102+
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
99103
env:
100104
INPUT_SHA: ${{ github.sha }}
101105
ARTIFACT_NAME: "containers-operators-amd64.tar"
@@ -174,22 +178,20 @@ jobs:
174178
strategy:
175179
matrix:
176180
image:
181+
# Kafka images are not here to avoid need to change Kafka versions on multiple places when we bump operators repo versions for testing
177182
- buildah-latest-amd64
178-
- kafka-build-kafka-4.1.0-amd64
179-
- kafka-build-kafka-4.1.1-amd64
180-
- kafka-build-kafka-4.2.0-amd64
181183
- kaniko-executor-latest-amd64
182184
- maven-builder-latest-amd64
183185
- operator-latest-amd64
184186
steps:
185187
- name: Checkout github-actions
186-
uses: actions/checkout@v6
188+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
187189

188190
- name: Install Docker
189191
uses: ./.github/actions/dependencies/install-docker
190192

191193
- name: Download container archive
192-
uses: actions/download-artifact@v7
194+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
193195
with:
194196
name: containers-operators-amd64.tar
195197
run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }}
@@ -204,7 +206,7 @@ jobs:
204206
imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz
205207
image: ${{ matrix.image }}
206208
cvssThreshold: "99.0"
207-
monitor: "false"
209+
snykMonitor: "false"
208210
uploadToCodeScanning: "false"
209211
projectPrefix: test-operators
210212
env:
@@ -233,13 +235,13 @@ jobs:
233235

234236
steps:
235237
- name: Checkout github-actions
236-
uses: actions/checkout@v6
238+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
237239

238240
- name: Install Docker
239241
uses: ./.github/actions/dependencies/install-docker
240242

241243
- name: Download container archive
242-
uses: actions/download-artifact@v7
244+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
243245
with:
244246
name: containers-drain-cleaner-amd64.tar
245247
run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }}
@@ -254,7 +256,9 @@ jobs:
254256
imageFile: drain-cleaner-container-amd64.tar.gz
255257
image: drain-cleaner-amd64
256258
cvssThreshold: "99.0"
257-
monitor: "true"
259+
# Keep false to avoid uploading testing results to Snyk App
260+
snykMonitor: "false"
261+
# Keep false to avoid uploading results to GitHub Code Scanning page
258262
uploadToCodeScanning: "false"
259263
projectPrefix: test-drain-cleaner
260264
env:

0 commit comments

Comments
 (0)