snyk-analysis.yml

name: Kubernetes Containers Scan

on:
  push:
    branches:
      - staging 
      - v1.x/staging 
  pull_request:
    types: [opened, synchronize]
  workflow_dispatch:
    inputs:
      RANDOM_DISPATCH_EVENT_ID:
        description: 'random dispatch event id'
        required: false
        type: string

jobs:
  display-dispatch-event-id:
    if: github.event.inputs.RANDOM_DISPATCH_EVENT_ID != ''
    runs-on: ubuntu-latest
    steps:
      - name: RANDOM_DISPATCH_EVENT_ID is ${{ github.event.inputs.RANDOM_DISPATCH_EVENT_ID }}
        run: echo "prints random dispatch event id sent from workflow dispatch event"

  setup-matrix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Setup image list matrix
        id: setup-image-matrix
        run: |
          IMAGES_LIST=$(cat manifest.json.template | jq -r '.imageDependencies[] | "{\"image\": \"" + .registry + "/" + .name + ":" + .tag + "\"},"')
          echo image-matrix={\"include\":[$IMAGES_LIST]} >> $GITHUB_OUTPUT
    outputs:
      image-matrix: ${{ steps.setup-image-matrix.outputs.image-matrix }}

  snyk:
    runs-on: ubuntu-latest
    needs: setup-matrix
    strategy:
      matrix: ${{ fromJson(needs.setup-matrix.outputs.image-matrix) }}
    steps:
    - uses: actions/checkout@v2

    - name: Run Snyk to check Docker image for vulnerabilities
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      continue-on-error: true
      uses: snyk/actions/docker@master
      # we don't have original Dockerfile, cannot generate and upload sarif 
      with:
        image: ${{ matrix.image }}
        command: test