File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11name : " Snyk Container Scan"
2- description : " Scan a single container image with Snyk, upload results to Code Scanning, and check CVSS threshold "
2+ description : " Scan a single container image with Snyk, upload results to Code Scanning"
33
44inputs :
55 imageFile :
88 image :
99 description : " Image name for SARIF naming and categorization"
1010 required : true
11- cvssThreshold :
12- description : " Fail if any CVE has CVSS score above this value"
13- required : false
14- default : " 8.0"
1511 snykMonitor :
1612 description : " Whether to also run 'snyk container monitor'"
1713 required : false
@@ -104,26 +100,3 @@ runs:
104100 --project-name="$MONITOR_PROJECT" \
105101 --target-reference="$MONITOR_REVISION"
106102 fi
107-
108- - name : Check CVSS threshold
109- shell : bash
110- env :
111- IMAGE_NAME : ${{ inputs.image }}
112- run : |
113- THRESHOLD=${{ inputs.cvssThreshold }}
114- JSON_FILE="snyk-container-${IMAGE_NAME}.json"
115- if [ -f "$JSON_FILE" ]; then
116- COUNT=$(jq --argjson t "$THRESHOLD" '
117- if type == "array" then
118- [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length
119- else
120- [.vulnerabilities[]? | select(.cvssScore > $t)] | length
121- end' "$JSON_FILE")
122- if [ "$COUNT" -gt 0 ]; then
123- echo "::error::Image $IMAGE_NAME has $COUNT vulnerabilities with CVSS score > $THRESHOLD"
124- exit 1
125- fi
126- echo "No vulnerabilities found with CVSS score > $THRESHOLD"
127- else
128- echo "No Snyk results file found, skipping CVSS threshold check"
129- fi
Original file line number Diff line number Diff line change 11name : " Snyk Maven Scan"
2- description : " Run Snyk scan on Maven dependencies with SARIF upload and CVSS threshold check "
2+ description : " Run Snyk scan on Maven dependencies with SARIF upload"
33
44inputs :
5- cvssThreshold :
6- description : " Fail if any CVE has CVSS score above this value"
7- required : false
8- default : " 8.0"
95 snykMonitor :
106 description : " Whether to also run 'snyk monitor'"
117 required : false
7167 run : |
7268 REPO_NAME="${GITHUB_REPOSITORY##*/}"
7369 snyk monitor --project-name="${PROJECT_PREFIX}/${REPO_NAME}"
74-
75- - name : Check CVSS threshold
76- shell : bash
77- run : |
78- THRESHOLD=${{ inputs.cvssThreshold }}
79- if [ -f snyk-results.json ]; then
80- COUNT=$(jq --argjson t "$THRESHOLD" '
81- if type == "array" then
82- [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length
83- else
84- [.vulnerabilities[]? | select(.cvssScore > $t)] | length
85- end' snyk-results.json)
86- if [ "$COUNT" -gt 0 ]; then
87- echo "::error::Found $COUNT vulnerabilities with CVSS score > $THRESHOLD"
88- exit 1
89- fi
90- echo "No vulnerabilities found with CVSS score > $THRESHOLD"
91- else
92- echo "No Snyk results file found, skipping CVSS threshold check"
93- fi
Original file line number Diff line number Diff line change 5858 - name : Run Snyk Maven scan
5959 uses : ./.github/actions/security/snyk-maven-scan
6060 with :
61- cvssThreshold : " 99.0"
6261 # Keep false to avoid uploading testing results to Snyk App
6362 snykMonitor : " false"
6463 # Keep false to avoid uploading results to GitHub Code Scanning page
@@ -205,7 +204,6 @@ jobs:
205204 with :
206205 imageFile : docker-images/container-archives/${{ matrix.image }}.tar.gz
207206 image : ${{ matrix.image }}
208- cvssThreshold : " 99.0"
209207 snykMonitor : " false"
210208 uploadToCodeScanning : " false"
211209 projectPrefix : test-operators
@@ -255,7 +253,6 @@ jobs:
255253 with :
256254 imageFile : drain-cleaner-container-amd64.tar.gz
257255 image : drain-cleaner-amd64
258- cvssThreshold : " 99.0"
259256 # Keep false to avoid uploading testing results to Snyk App
260257 snykMonitor : " false"
261258 # Keep false to avoid uploading results to GitHub Code Scanning page
You can’t perform that action at this time.
0 commit comments