Fix check for snykMonitor and add target-reference option (#44)

* Add fix for snyk monitor command

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Simplify monitor cmd for maven

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Add testing branch also to integration workflow

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Handle container target reference

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Add reference param

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Revert testing changes

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

* Fix one missing leftover

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

---------

Signed-off-by: Jakub Stejskal <xstejs24@gmail.com>

Author: Frawless

.github/actions/security/snyk-container-scan/action.yml

@@ -15,6 +15,10 @@ inputs:
   projectPrefix:
     description: "Project prefix for Snyk dashboard (e.g., 'strimzi')"
     required: true
+  snykMonitorTargetReference:
+    description: "Value for --target-reference in 'snyk container monitor' (e.g. release version). Defaults to the image tag."
+    required: false
+    default: ""
   uploadToCodeScanning:
     description: "Whether to upload SARIF results to GitHub Code Scanning"
     required: false
@@ -89,13 +93,18 @@ runs:
 
     # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
     - name: Run Snyk monitor
-      if: ${{ inputs.monitor == 'true' }}
+      if: ${{ inputs.snykMonitor == 'true' }}
       shell: bash
       continue-on-error: true
+      env:
+        TARGET_REFERENCE: ${{ inputs.snykMonitorTargetReference }}
       run: |
         if [ -n "$LOADED_IMAGE" ]; then
           MONITOR_PROJECT="${LOADED_IMAGE%%:*}"
           MONITOR_REVISION="${LOADED_IMAGE##*:}"
+          if [ -n "$TARGET_REFERENCE" ]; then
+            MONITOR_REVISION="$TARGET_REFERENCE"
+          fi
           snyk container monitor "$LOADED_IMAGE" \
             --project-name="$MONITOR_PROJECT" \
             --target-reference="$MONITOR_REVISION"

.github/actions/security/snyk-maven-scan/action.yml

@@ -59,11 +59,8 @@ runs:
 
     # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports
     - name: Run Snyk monitor
-      if: ${{ inputs.monitor == 'true' }}
+      if: ${{ inputs.snykMonitor == 'true' }}
       shell: bash
       continue-on-error: true
-      env:
-        PROJECT_PREFIX: ${{ inputs.projectPrefix }}
       run: |
-        REPO_NAME="${GITHUB_REPOSITORY##*/}"
-        snyk monitor --project-name="${PROJECT_PREFIX}/${REPO_NAME}"
+        snyk monitor --target-reference="${GITHUB_REF_NAME}"

.github/workflows/test-snyk.yml

@@ -205,6 +205,7 @@ jobs:
           imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz
           image: ${{ matrix.image }}
           snykMonitor: "false"
+          snykMonitorTargetReference: "latest"
           uploadToCodeScanning: "false"
           projectPrefix: test-operators
         env:
@@ -255,6 +256,7 @@ jobs:
           image: drain-cleaner-amd64
           # Keep false to avoid uploading testing results to Snyk App
           snykMonitor: "false"
+          snykMonitorTargetReference: "latest"
           # Keep false to avoid uploading results to GitHub Code Scanning page
           uploadToCodeScanning: "false"
           projectPrefix: test-drain-cleaner