From dfaf6e02c0eb8e8d7c380f13360de86187e1d5ca Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Wed, 27 May 2026 23:27:34 +0200 Subject: [PATCH 01/26] Add Snyk actions and reusable workflow Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 130 ++++++++++++++++++ .../security/snyk-maven-scan/action.yml | 71 ++++++++++ .github/workflows/reusable-snyk-scan.yml | 118 ++++++++++++++++ 3 files changed, 319 insertions(+) create mode 100644 .github/actions/security/snyk-container-scan/action.yml create mode 100644 .github/actions/security/snyk-maven-scan/action.yml create mode 100644 .github/workflows/reusable-snyk-scan.yml diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml new file mode 100644 index 0000000..3df2ac8 --- /dev/null +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -0,0 +1,130 @@ +name: "Snyk Container Scan" +description: "Download container archive, discover images, and run Snyk container scan on each with SARIF upload and CVSS threshold check" + +inputs: + containerArtifact: + description: "Name of the container archive artifact to download" + required: true + cvssThreshold: + description: "Fail if any CVE has CVSS score above this value" + required: false + default: "8.0" + monitor: + description: "Whether to also run 'snyk container monitor'" + required: false + default: "false" + projectName: + description: "Project name prefix for Snyk dashboard (each image gets projectName-imageName)" + required: true + runId: + description: "Workflow run ID to download the container artifact from" + required: true + +runs: + using: "composite" + steps: + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + - name: Download container artifact + uses: actions/download-artifact@v4 + with: + name: ${{ inputs.containerArtifact }} + run-id: ${{ inputs.runId }} + github-token: ${{ github.token }} + + - name: Untar container archive + shell: bash + run: | + tar -xvf ${{ inputs.containerArtifact }}.tar + + - name: Scan container images + shell: bash + env: + CVSS_THRESHOLD: ${{ inputs.cvssThreshold }} + MONITOR: ${{ inputs.monitor }} + PROJECT_NAME: ${{ inputs.projectName }} + run: | + FAILED=0 + SCANNED=0 + + for archive in docker-images/container-archives/*.tar.gz; do + [ -f "$archive" ] || continue + IMAGE_NAME=$(basename "$archive" .tar.gz) + + echo "==========================================" + echo "Scanning image: $IMAGE_NAME" + echo "==========================================" + + LOAD_OUTPUT=$(docker load < "$archive") + echo "$LOAD_OUTPUT" + LOADED_IMAGE=$(echo "$LOAD_OUTPUT" | grep "Loaded image" | sed 's/Loaded image: //') + + if [ -z "$LOADED_IMAGE" ]; then + echo "::warning::Could not determine loaded image tag for $IMAGE_NAME, skipping" + continue + fi + + SARIF_FILE="snyk-container-${IMAGE_NAME}.sarif" + JSON_FILE="snyk-container-${IMAGE_NAME}.json" + + snyk container test "$LOADED_IMAGE" \ + --sarif-file-output="$SARIF_FILE" \ + --json-file-output="$JSON_FILE" || true + + if [ "$MONITOR" = "true" ]; then + snyk container monitor "$LOADED_IMAGE" \ + --project-name="${PROJECT_NAME}-${IMAGE_NAME}" || true + fi + + if [ -f "$JSON_FILE" ]; then + COUNT=$(jq --argjson t "$CVSS_THRESHOLD" ' + if type == "array" then + [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length + else + [.vulnerabilities[]? | select(.cvssScore > $t)] | length + end' "$JSON_FILE") + if [ "$COUNT" -gt 0 ]; then + echo "::error::Image $IMAGE_NAME has $COUNT vulnerabilities with CVSS score > $CVSS_THRESHOLD" + FAILED=$((FAILED + 1)) + fi + fi + + SCANNED=$((SCANNED + 1)) + done + + echo "Scanned $SCANNED image(s)" + + if [ "$FAILED" -gt 0 ]; then + echo "::error::CVSS threshold exceeded for $FAILED image(s)" + exit 1 + fi + + - name: Upload SARIF files to GitHub Code Scanning + if: always() + shell: bash + env: + GH_TOKEN: ${{ github.token }} + run: | + for sarif in snyk-container-*.sarif; do + [ -f "$sarif" ] || continue + IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') + echo "Uploading SARIF for image: $IMAGE_NAME" + ENCODED=$(gzip -c "$sarif" | base64 -w0) + gh api \ + -X POST \ + "/repos/$GITHUB_REPOSITORY/code-scanning/sarifs" \ + -f commit_sha="$GITHUB_SHA" \ + -f ref="$GITHUB_REF" \ + -f sarif="$ENCODED" \ + -f category="snyk-container-${IMAGE_NAME}" + echo "Uploaded SARIF for $IMAGE_NAME with category: snyk-container-${IMAGE_NAME}" + done + + - name: Upload SARIF artifacts + uses: actions/upload-artifact@v7 + if: always() + with: + name: snyk-container-sarif-${{ inputs.projectName }} + path: snyk-container-*.sarif + retention-days: 30 diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml new file mode 100644 index 0000000..d6bd012 --- /dev/null +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -0,0 +1,71 @@ +name: "Snyk Maven Scan" +description: "Run Snyk scan on Maven dependencies with SARIF upload and CVSS threshold check" + +inputs: + cvssThreshold: + description: "Fail if any CVE has CVSS score above this value" + required: false + default: "8.0" + monitor: + description: "Whether to also run 'snyk monitor'" + required: false + default: "false" + projectName: + description: "Project name for Snyk dashboard (also used to derive SARIF filename and Code Scanning category)" + required: true + +runs: + using: "composite" + steps: + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + - name: Run Snyk test + shell: bash + continue-on-error: true + run: | + snyk test \ + --sarif-file-output=snyk-maven-${{ inputs.projectName }}.sarif \ + --json-file-output=snyk-results.json + + - name: Upload SARIF to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: snyk-maven-${{ inputs.projectName }}.sarif + category: snyk-maven-${{ inputs.projectName }} + + - name: Upload SARIF as workflow artifact + uses: actions/upload-artifact@v7 + if: always() + with: + name: snyk-maven-${{ inputs.projectName }}.sarif + path: snyk-maven-${{ inputs.projectName }}.sarif + retention-days: 30 + + - name: Run Snyk monitor + if: ${{ inputs.monitor == 'true' }} + shell: bash + continue-on-error: true + run: | + snyk monitor --project-name=${{ inputs.projectName }} + + - name: Check CVSS threshold + shell: bash + run: | + THRESHOLD=${{ inputs.cvssThreshold }} + if [ -f snyk-results.json ]; then + COUNT=$(jq --argjson t "$THRESHOLD" ' + if type == "array" then + [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length + else + [.vulnerabilities[]? | select(.cvssScore > $t)] | length + end' snyk-results.json) + if [ "$COUNT" -gt 0 ]; then + echo "::error::Found $COUNT vulnerabilities with CVSS score > $THRESHOLD" + exit 1 + fi + echo "No vulnerabilities found with CVSS score > $THRESHOLD" + else + echo "No Snyk results file found, skipping CVSS threshold check" + fi diff --git a/.github/workflows/reusable-snyk-scan.yml b/.github/workflows/reusable-snyk-scan.yml new file mode 100644 index 0000000..9ae9acf --- /dev/null +++ b/.github/workflows/reusable-snyk-scan.yml @@ -0,0 +1,118 @@ +name: Snyk Security Scan Pipeline + +on: + workflow_call: + inputs: + scanMaven: + description: "Run Maven dependency scan" + required: false + type: boolean + default: true + scanContainers: + description: "Run container image scan" + required: false + type: boolean + default: false + containerArtifact: + description: "Name of container archive artifact to download (e.g., containers-operators-amd64)" + required: false + type: string + default: "" + containerArtifactRunId: + description: "Workflow run ID to download the container artifact from" + required: false + type: string + default: "" + cvssThreshold: + description: "CVSS score threshold — fail if any CVE scores above this" + required: false + type: string + default: "8.0" + javaVersion: + description: "Java version to use for build" + required: false + type: string + default: "21" + monitor: + description: "Run 'snyk monitor' to upload results to the Snyk dashboard" + required: false + type: boolean + default: false + projectNamePrefix: + description: "Prefix for Snyk dashboard project names" + required: true + type: string + ref: + description: "Git ref to checkout" + required: false + type: string + default: "" + secrets: + SNYK_TOKEN: + required: true + +permissions: + contents: read + security-events: write + actions: read + +jobs: + snyk-maven: + name: Snyk Maven Scan + if: ${{ inputs.scanMaven }} + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout + uses: actions/checkout@v6 + with: + ref: ${{ inputs.ref || '' }} + + - name: Setup Java and Maven + uses: strimzi/github-actions/.github/actions/dependencies/setup-java@main + with: + javaVersion: ${{ inputs.javaVersion }} + + - name: Install yq + uses: strimzi/github-actions/.github/actions/dependencies/install-yq@main + + - name: Restore Maven cache + uses: actions/cache/restore@v5 + with: + path: ~/.m2/repository + key: maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + maven- + + - name: Build Maven project + shell: bash + run: mvn -B -DskipTests -Dmaven.javadoc.skip=true clean install + + - name: Run Snyk Maven scan + uses: strimzi/github-actions/.github/actions/security/snyk-maven-scan@main + with: + cvssThreshold: ${{ inputs.cvssThreshold }} + monitor: ${{ inputs.monitor }} + projectName: ${{ format('{0}-maven', inputs.projectNamePrefix) }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + snyk-containers: + name: Snyk Container Scan + if: ${{ inputs.scanContainers }} + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Install Docker + uses: strimzi/github-actions/.github/actions/dependencies/install-docker@main + + - name: Run Snyk container scan + uses: strimzi/github-actions/.github/actions/security/snyk-container-scan@main + with: + containerArtifact: ${{ inputs.containerArtifact }} + runId: ${{ inputs.containerArtifactRunId }} + cvssThreshold: ${{ inputs.cvssThreshold }} + monitor: ${{ inputs.monitor }} + projectName: ${{ inputs.projectNamePrefix }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From defbcf181940992563ed633b49677ff9be1b9cbb Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 11:34:44 +0200 Subject: [PATCH 02/26] Add testing workflow Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 6 +- .../security/snyk-maven-scan/action.yml | 6 +- .github/workflows/test-snyk.yml | 225 ++++++++++++++++++ 3 files changed, 235 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/test-snyk.yml diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 3df2ac8..642a998 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -16,6 +16,10 @@ inputs: projectName: description: "Project name prefix for Snyk dashboard (each image gets projectName-imageName)" required: true + uploadToCodeScanning: + description: "Whether to upload SARIF results to GitHub Code Scanning" + required: false + default: "true" runId: description: "Workflow run ID to download the container artifact from" required: true @@ -101,7 +105,7 @@ runs: fi - name: Upload SARIF files to GitHub Code Scanning - if: always() + if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} shell: bash env: GH_TOKEN: ${{ github.token }} diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index d6bd012..234c9b0 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -13,6 +13,10 @@ inputs: projectName: description: "Project name for Snyk dashboard (also used to derive SARIF filename and Code Scanning category)" required: true + uploadToCodeScanning: + description: "Whether to upload SARIF results to GitHub Code Scanning" + required: false + default: "true" runs: using: "composite" @@ -30,7 +34,7 @@ runs: - name: Upload SARIF to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v3 - if: always() + if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} with: sarif_file: snyk-maven-${{ inputs.projectName }}.sarif category: snyk-maven-${{ inputs.projectName }} diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml new file mode 100644 index 0000000..126fb97 --- /dev/null +++ b/.github/workflows/test-snyk.yml @@ -0,0 +1,225 @@ +name: Snyk Scan Tests + +on: + push: + branches: + - "main" + - "release-*" + +permissions: + contents: read + actions: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + test-snyk-maven-scan: + name: Test Snyk Maven Scan + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout strimzi/kafka-quotas-plugin + uses: actions/checkout@v6 + with: + repository: strimzi/kafka-quotas-plugin + ref: main + + - name: Checkout github-actions + uses: actions/checkout@v6 + with: + repository: strimzi/github-actions + ref: ${{ github.sha }} + path: github-actions + + - name: Setup actions for testing + run: | + mkdir -p .github/actions + cp -r github-actions/.github/actions/* .github/actions/ + + - name: Setup Java and Maven + uses: ./.github/actions/dependencies/setup-java + + - name: Install yq + uses: ./.github/actions/dependencies/install-yq + + - name: Restore Maven cache + uses: actions/cache/restore@v5 + with: + path: ~/.m2/repository + key: maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + maven- + + - name: Build Maven project + shell: bash + run: mvn -B -DskipTests -Dmaven.javadoc.skip=true clean install + + - name: Run Snyk Maven scan + uses: ./.github/actions/security/snyk-maven-scan + with: + cvssThreshold: "99.0" + monitor: "false" + projectName: test-kafka-quotas-plugin + uploadToCodeScanning: "false" + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Download SARIF artifact + uses: actions/download-artifact@v7 + with: + name: snyk-maven-test-kafka-quotas-plugin.sarif + path: sarif-output + + - name: Verify SARIF artifact + shell: bash + run: | + SARIF_FILE="sarif-output/snyk-maven-test-kafka-quotas-plugin.sarif" + if [ ! -f "$SARIF_FILE" ]; then + echo "SARIF file not found: $SARIF_FILE" + exit 1 + fi + if [ ! -s "$SARIF_FILE" ]; then + echo "SARIF file is empty: $SARIF_FILE" + exit 1 + fi + jq empty "$SARIF_FILE" + echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)" + + wait-for-container-artifact: + name: Wait for Container Artifact + runs-on: ubuntu-latest + timeout-minutes: 90 + outputs: + run-id: ${{ steps.find-build.outputs.run_id }} + steps: + - name: Wait for container artifact + id: find-build + uses: actions/github-script@v9 + env: + INPUT_SHA: ${{ github.sha }} + ARTIFACT_NAME: "containers-drain-cleaner-amd64.tar" + MAX_WAIT_MINUTES: "80" + with: + script: | + const {owner, repo} = context.repo; + const workflowName = 'test-integrations.yml'; + const sha = process.env.INPUT_SHA; + const artifactName = process.env.ARTIFACT_NAME; + const maxWaitMinutes = parseInt(process.env.MAX_WAIT_MINUTES); + const maxWaitSeconds = maxWaitMinutes * 60; + const startTime = Date.now(); + + core.info(`Waiting for artifact '${artifactName}' from commit ${sha}`); + + async function findArtifact() { + const runs = await github.rest.actions.listWorkflowRuns({ + owner, + repo, + workflow_id: workflowName, + head_sha: sha, + per_page: 1 + }); + + const run = runs.data.workflow_runs[0]; + if (!run) return null; + + const artifacts = await github.rest.actions.listWorkflowRunArtifacts({ + owner, + repo, + run_id: run.id + }); + + const artifact = artifacts.data.artifacts.find(a => a.name === artifactName); + if (artifact) { + return { runId: run.id, artifactId: artifact.id }; + } + + if (run.status === 'completed') { + core.setFailed(`Integration tests completed (${run.conclusion}) but artifact '${artifactName}' not found`); + core.setFailed(`Run: ${context.serverUrl}/${owner}/${repo}/actions/runs/${run.id}`); + return 'failed'; + } + + return null; + } + + while (true) { + const elapsed = Math.floor((Date.now() - startTime) / 1000); + + if (elapsed >= maxWaitSeconds) { + core.setFailed(`Timeout: Artifact '${artifactName}' not found after ${maxWaitMinutes} minutes`); + return; + } + + const result = await findArtifact(); + + if (result === 'failed') return; + + if (result) { + core.setOutput('run_id', result.runId.toString()); + core.info(`Artifact '${artifactName}' found in run #${result.runId}`); + return; + } + + core.info(`Artifact not available yet... (${elapsed}s elapsed, max: ${maxWaitSeconds}s)`); + await new Promise(resolve => setTimeout(resolve, 30000)); + } + + test-snyk-container-scan: + name: Test Snyk Container Scan + needs: wait-for-container-artifact + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout github-actions + uses: actions/checkout@v6 + with: + repository: strimzi/github-actions + ref: ${{ github.sha }} + path: github-actions + + - name: Setup actions for testing + run: | + mkdir -p .github/actions + cp -r github-actions/.github/actions/* .github/actions/ + + - name: Install Docker + uses: ./.github/actions/dependencies/install-docker + + - name: Run Snyk container scan + uses: ./.github/actions/security/snyk-container-scan + with: + containerArtifact: containers-drain-cleaner-amd64.tar + runId: ${{ needs.wait-for-container-artifact.outputs.run-id }} + cvssThreshold: "99.0" + monitor: "false" + projectName: test-drain-cleaner + uploadToCodeScanning: "false" + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Download SARIF artifacts + uses: actions/download-artifact@v7 + with: + name: snyk-container-sarif-test-drain-cleaner + path: sarif-output + + - name: Verify SARIF artifacts + shell: bash + run: | + SARIF_COUNT=$(find sarif-output -name "*.sarif" -type f | wc -l) + if [ "$SARIF_COUNT" -eq 0 ]; then + echo "No SARIF files found in artifacts" + exit 1 + fi + echo "Found $SARIF_COUNT SARIF file(s)" + for sarif in sarif-output/*.sarif; do + if [ ! -s "$sarif" ]; then + echo "SARIF file is empty: $sarif" + exit 1 + fi + jq empty "$sarif" + echo "$(basename "$sarif"): valid JSON with $(jq '.runs | length' "$sarif") run(s)" + done From 50ca033172344d1fa56e8ba2446e2238d99ff2cf Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 11:35:04 +0200 Subject: [PATCH 03/26] Add testing branch Signed-off-by: Jakub Stejskal --- .github/workflows/test-snyk.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 126fb97..8d52f51 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -5,6 +5,7 @@ on: branches: - "main" - "release-*" + - "add-snyk-actions" permissions: contents: read From 259c9ebbe7621ef67a7404b7aa70bf5e86c99885 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 11:36:47 +0200 Subject: [PATCH 04/26] Add testing branch also to integration workflow Signed-off-by: Jakub Stejskal --- .github/workflows/test-integrations.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml index ffe1a3f..a374428 100644 --- a/.github/workflows/test-integrations.yml +++ b/.github/workflows/test-integrations.yml @@ -8,6 +8,7 @@ on: branches: - "main" - "release-*" + - "add-snyk-actions" # Declare default permissions as read only permissions: From 99a9183437e88f3fafd2a1e31912081ad192149f Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 12:09:53 +0200 Subject: [PATCH 05/26] Fix artifact name Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-container-scan/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 642a998..d07292f 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -40,7 +40,7 @@ runs: - name: Untar container archive shell: bash run: | - tar -xvf ${{ inputs.containerArtifact }}.tar + tar -xvf ${{ inputs.containerArtifact }} - name: Scan container images shell: bash From 1d54ebef8a43f6d13e3185ce8dc283dad73d771e Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 13:13:41 +0200 Subject: [PATCH 06/26] Change lookup for cotnainer tar Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-container-scan/action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index d07292f..548ac13 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -52,8 +52,7 @@ runs: FAILED=0 SCANNED=0 - for archive in docker-images/container-archives/*.tar.gz; do - [ -f "$archive" ] || continue + for archive in $(find . -name "*container*.tar.gz" -type f); do IMAGE_NAME=$(basename "$archive" .tar.gz) echo "==========================================" From 3c0c5e745f93e1ad149276f3c62cdb5890202971 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 14:50:59 +0200 Subject: [PATCH 07/26] Try to uplaod serif file Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 2 +- .github/workflows/test-snyk.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 548ac13..47f677b 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -31,7 +31,7 @@ runs: uses: snyk/actions/setup@master - name: Download container artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v7 with: name: ${{ inputs.containerArtifact }} run-id: ${{ inputs.runId }} diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 8d52f51..eeb20db 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -21,10 +21,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - name: Checkout strimzi/kafka-quotas-plugin + - name: Checkout strimzi/drain-cleaner uses: actions/checkout@v6 with: - repository: strimzi/kafka-quotas-plugin + repository: strimzi/drain-cleaner ref: main - name: Checkout github-actions @@ -62,21 +62,21 @@ jobs: with: cvssThreshold: "99.0" monitor: "false" - projectName: test-kafka-quotas-plugin - uploadToCodeScanning: "false" + projectName: test-drain-cleaner + uploadToCodeScanning: "true" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Download SARIF artifact uses: actions/download-artifact@v7 with: - name: snyk-maven-test-kafka-quotas-plugin.sarif + name: snyk-maven-test-drain-cleaner.sarif path: sarif-output - name: Verify SARIF artifact shell: bash run: | - SARIF_FILE="sarif-output/snyk-maven-test-kafka-quotas-plugin.sarif" + SARIF_FILE="sarif-output/snyk-maven-test-drain-cleaner.sarif" if [ ! -f "$SARIF_FILE" ]; then echo "SARIF file not found: $SARIF_FILE" exit 1 @@ -197,7 +197,7 @@ jobs: cvssThreshold: "99.0" monitor: "false" projectName: test-drain-cleaner - uploadToCodeScanning: "false" + uploadToCodeScanning: "true" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 4218e96c3602fa632afd43f4c0d8bfa8a513ba8c Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 15:06:04 +0200 Subject: [PATCH 08/26] Fix permissions Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-maven-scan/action.yml | 3 ++- .github/workflows/test-snyk.yml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index 234c9b0..2808ac9 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -33,11 +33,12 @@ runs: --json-file-output=snyk-results.json - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} with: sarif_file: snyk-maven-${{ inputs.projectName }}.sarif category: snyk-maven-${{ inputs.projectName }} + wait-for-processing: true - name: Upload SARIF as workflow artifact uses: actions/upload-artifact@v7 diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index eeb20db..0761215 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -10,6 +10,7 @@ on: permissions: contents: read actions: read + security-events: write concurrency: group: ${{ github.workflow }}-${{ github.ref }} From af064c44af2a1ab8ad40fc611d43ae8ede177bf9 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 15:20:36 +0200 Subject: [PATCH 09/26] Hack commit sha for testing Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-maven-scan/action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index 2808ac9..1ca99df 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -39,6 +39,8 @@ runs: sarif_file: snyk-maven-${{ inputs.projectName }}.sarif category: snyk-maven-${{ inputs.projectName }} wait-for-processing: true + ref: ${{ github.ref }} + sha: ${{ github.sha }} - name: Upload SARIF as workflow artifact uses: actions/upload-artifact@v7 From 901518ae073c4ebf9ea9dd7290dd37c28f3363fd Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 15:50:24 +0200 Subject: [PATCH 10/26] Hack commit sha for testing v2 Signed-off-by: Jakub Stejskal --- .../security/snyk-maven-scan/action.yml | 2 -- .github/workflows/test-snyk.yml | 19 ++++++++----------- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index 1ca99df..2808ac9 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -39,8 +39,6 @@ runs: sarif_file: snyk-maven-${{ inputs.projectName }}.sarif category: snyk-maven-${{ inputs.projectName }} wait-for-processing: true - ref: ${{ github.ref }} - sha: ${{ github.sha }} - name: Upload SARIF as workflow artifact uses: actions/upload-artifact@v7 diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 0761215..414fd32 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -22,23 +22,20 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - name: Checkout strimzi/drain-cleaner + - name: Checkout github-actions uses: actions/checkout@v6 with: - repository: strimzi/drain-cleaner - ref: main + ref: ${{ github.sha }} - - name: Checkout github-actions + - name: Checkout strimzi/drain-cleaner uses: actions/checkout@v6 with: - repository: strimzi/github-actions - ref: ${{ github.sha }} - path: github-actions + repository: strimzi/drain-cleaner + ref: main + path: drain-cleaner - - name: Setup actions for testing - run: | - mkdir -p .github/actions - cp -r github-actions/.github/actions/* .github/actions/ + - name: Copy drain-cleaner project to workspace root + run: rsync -a --exclude='.git' --exclude='.github' drain-cleaner/ ./ - name: Setup Java and Maven uses: ./.github/actions/dependencies/setup-java From e3e583361c1202c9b6ddec910da6ff2ecdcfda70 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 15:56:44 +0200 Subject: [PATCH 11/26] Sanitize snyk output Signed-off-by: Jakub Stejskal --- .../actions/security/snyk-container-scan/action.yml | 11 +++++++++++ .github/actions/security/snyk-maven-scan/action.yml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 47f677b..259b907 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -103,6 +103,17 @@ runs: exit 1 fi + - name: Sanitize SARIF security-severity values + shell: bash + run: | + for sarif in snyk-container-*.sarif; do + [ -f "$sarif" ] || continue + jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |= + if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" + else . + end' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" + done + - name: Upload SARIF files to GitHub Code Scanning if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} shell: bash diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index 2808ac9..c50d8cd 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -32,6 +32,17 @@ runs: --sarif-file-output=snyk-maven-${{ inputs.projectName }}.sarif \ --json-file-output=snyk-results.json + - name: Sanitize SARIF security-severity values + shell: bash + run: | + SARIF_FILE="snyk-maven-${{ inputs.projectName }}.sarif" + if [ -f "$SARIF_FILE" ]; then + jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |= + if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" + else . + end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE" + fi + - name: Upload SARIF to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v4 if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} From 3e39c093e4a3f372b73e021e557ff19ef82b88ff Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 16:27:12 +0200 Subject: [PATCH 12/26] Fix serif uplaod for containers Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-container-scan/action.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 259b907..485b1a1 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -123,16 +123,17 @@ runs: for sarif in snyk-container-*.sarif; do [ -f "$sarif" ] || continue IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') - echo "Uploading SARIF for image: $IMAGE_NAME" + CATEGORY="snyk-container-${IMAGE_NAME}" + echo "Uploading SARIF for image: $IMAGE_NAME (category: $CATEGORY)" + jq --arg cat "$CATEGORY" '.runs[].automationDetails.id = $cat' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" ENCODED=$(gzip -c "$sarif" | base64 -w0) gh api \ -X POST \ "/repos/$GITHUB_REPOSITORY/code-scanning/sarifs" \ -f commit_sha="$GITHUB_SHA" \ -f ref="$GITHUB_REF" \ - -f sarif="$ENCODED" \ - -f category="snyk-container-${IMAGE_NAME}" - echo "Uploaded SARIF for $IMAGE_NAME with category: snyk-container-${IMAGE_NAME}" + -f sarif="$ENCODED" + echo "Uploaded SARIF for $IMAGE_NAME" done - name: Upload SARIF artifacts From b859c13c57d49db0c6d811364698f8bd1d4c2480 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 16:42:05 +0200 Subject: [PATCH 13/26] Fix indexing Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-container-scan/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 485b1a1..6855383 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -125,7 +125,7 @@ runs: IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') CATEGORY="snyk-container-${IMAGE_NAME}" echo "Uploading SARIF for image: $IMAGE_NAME (category: $CATEGORY)" - jq --arg cat "$CATEGORY" '.runs[].automationDetails.id = $cat' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" + jq --arg cat "$CATEGORY" '.runs |= [to_entries[] | .value.automationDetails.id = "\($cat)-\(.key)" | .value]' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" ENCODED=$(gzip -c "$sarif" | base64 -w0) gh api \ -X POST \ From e38dd6d31a1fc10ec6da25b2c37b689e361d27f4 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 28 May 2026 19:45:49 +0200 Subject: [PATCH 14/26] Try to propagate image name Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 31 +++++++++++++------ 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 6855383..34b28c4 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -124,16 +124,27 @@ runs: [ -f "$sarif" ] || continue IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') CATEGORY="snyk-container-${IMAGE_NAME}" - echo "Uploading SARIF for image: $IMAGE_NAME (category: $CATEGORY)" - jq --arg cat "$CATEGORY" '.runs |= [to_entries[] | .value.automationDetails.id = "\($cat)-\(.key)" | .value]' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" - ENCODED=$(gzip -c "$sarif" | base64 -w0) - gh api \ - -X POST \ - "/repos/$GITHUB_REPOSITORY/code-scanning/sarifs" \ - -f commit_sha="$GITHUB_SHA" \ - -f ref="$GITHUB_REF" \ - -f sarif="$ENCODED" - echo "Uploaded SARIF for $IMAGE_NAME" + + RUN_COUNT=$(jq '.runs | length' "$sarif") + echo "Uploading SARIF for image: $IMAGE_NAME ($RUN_COUNT run(s), category: $CATEGORY)" + + for i in $(seq 0 $((RUN_COUNT - 1))); do + jq --argjson idx "$i" --arg cat "${CATEGORY}/${i}" --arg img "$IMAGE_NAME" ' + .runs = [.runs[$idx] + | .automationDetails.id = $cat + | .tool.driver.name = (.tool.driver.name + " (" + $img + ")") + ] + ' "$sarif" > "upload-${IMAGE_NAME}-${i}.sarif" + + ENCODED=$(gzip -c "upload-${IMAGE_NAME}-${i}.sarif" | base64 -w0) + gh api \ + -X POST \ + "/repos/$GITHUB_REPOSITORY/code-scanning/sarifs" \ + -f commit_sha="$GITHUB_SHA" \ + -f ref="$GITHUB_REF" \ + -f sarif="$ENCODED" + echo "Uploaded run $i for $IMAGE_NAME" + done done - name: Upload SARIF artifacts From e32cdee600516fb2bcb000d59c5a5e992d2159ae Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 4 Jun 2026 15:47:58 +0200 Subject: [PATCH 15/26] Test with operators repo Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 12 ++++++----- .../security/snyk-maven-scan/action.yml | 21 +++++++++++-------- .github/workflows/reusable-snyk-scan.yml | 8 +++---- .github/workflows/test-snyk.yml | 10 ++++----- 4 files changed, 28 insertions(+), 23 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 34b28c4..e9c929e 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -13,8 +13,8 @@ inputs: description: "Whether to also run 'snyk container monitor'" required: false default: "false" - projectName: - description: "Project name prefix for Snyk dashboard (each image gets projectName-imageName)" + projectPrefix: + description: "Project prefix for Snyk dashboard and SARIF artifact naming (e.g., 'strimzi')" required: true uploadToCodeScanning: description: "Whether to upload SARIF results to GitHub Code Scanning" @@ -47,7 +47,6 @@ runs: env: CVSS_THRESHOLD: ${{ inputs.cvssThreshold }} MONITOR: ${{ inputs.monitor }} - PROJECT_NAME: ${{ inputs.projectName }} run: | FAILED=0 SCANNED=0 @@ -76,8 +75,11 @@ runs: --json-file-output="$JSON_FILE" || true if [ "$MONITOR" = "true" ]; then + MONITOR_PROJECT="${LOADED_IMAGE%%:*}" + MONITOR_REVISION="${LOADED_IMAGE##*:}" snyk container monitor "$LOADED_IMAGE" \ - --project-name="${PROJECT_NAME}-${IMAGE_NAME}" || true + --project-name="$MONITOR_PROJECT" \ + --target-reference="$MONITOR_REVISION" || true fi if [ -f "$JSON_FILE" ]; then @@ -151,6 +153,6 @@ runs: uses: actions/upload-artifact@v7 if: always() with: - name: snyk-container-sarif-${{ inputs.projectName }} + name: snyk-container-sarif-${{ inputs.projectPrefix }} path: snyk-container-*.sarif retention-days: 30 diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index c50d8cd..27ada23 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -10,8 +10,8 @@ inputs: description: "Whether to also run 'snyk monitor'" required: false default: "false" - projectName: - description: "Project name for Snyk dashboard (also used to derive SARIF filename and Code Scanning category)" + projectPrefix: + description: "Project prefix for Snyk dashboard and SARIF naming (e.g., 'strimzi')" required: true uploadToCodeScanning: description: "Whether to upload SARIF results to GitHub Code Scanning" @@ -29,13 +29,13 @@ runs: continue-on-error: true run: | snyk test \ - --sarif-file-output=snyk-maven-${{ inputs.projectName }}.sarif \ + --sarif-file-output=snyk-maven-${{ inputs.projectPrefix }}.sarif \ --json-file-output=snyk-results.json - name: Sanitize SARIF security-severity values shell: bash run: | - SARIF_FILE="snyk-maven-${{ inputs.projectName }}.sarif" + SARIF_FILE="snyk-maven-${{ inputs.projectPrefix }}.sarif" if [ -f "$SARIF_FILE" ]; then jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |= if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" @@ -47,24 +47,27 @@ runs: uses: github/codeql-action/upload-sarif@v4 if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} with: - sarif_file: snyk-maven-${{ inputs.projectName }}.sarif - category: snyk-maven-${{ inputs.projectName }} + sarif_file: snyk-maven-${{ inputs.projectPrefix }}.sarif + category: snyk-maven-${{ inputs.projectPrefix }} wait-for-processing: true - name: Upload SARIF as workflow artifact uses: actions/upload-artifact@v7 if: always() with: - name: snyk-maven-${{ inputs.projectName }}.sarif - path: snyk-maven-${{ inputs.projectName }}.sarif + name: snyk-maven-${{ inputs.projectPrefix }}.sarif + path: snyk-maven-${{ inputs.projectPrefix }}.sarif retention-days: 30 - name: Run Snyk monitor if: ${{ inputs.monitor == 'true' }} shell: bash continue-on-error: true + env: + PROJECT_PREFIX: ${{ inputs.projectPrefix }} run: | - snyk monitor --project-name=${{ inputs.projectName }} + REPO_NAME="${GITHUB_REPOSITORY##*/}" + snyk monitor --project-name="${PROJECT_PREFIX}/${REPO_NAME}" - name: Check CVSS threshold shell: bash diff --git a/.github/workflows/reusable-snyk-scan.yml b/.github/workflows/reusable-snyk-scan.yml index 9ae9acf..3d993e8 100644 --- a/.github/workflows/reusable-snyk-scan.yml +++ b/.github/workflows/reusable-snyk-scan.yml @@ -38,8 +38,8 @@ on: required: false type: boolean default: false - projectNamePrefix: - description: "Prefix for Snyk dashboard project names" + projectPrefix: + description: "Project prefix for Snyk dashboard (e.g., 'strimzi')" required: true type: string ref: @@ -93,7 +93,7 @@ jobs: with: cvssThreshold: ${{ inputs.cvssThreshold }} monitor: ${{ inputs.monitor }} - projectName: ${{ format('{0}-maven', inputs.projectNamePrefix) }} + projectPrefix: ${{ inputs.projectPrefix }} env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -113,6 +113,6 @@ jobs: runId: ${{ inputs.containerArtifactRunId }} cvssThreshold: ${{ inputs.cvssThreshold }} monitor: ${{ inputs.monitor }} - projectName: ${{ inputs.projectNamePrefix }} + projectPrefix: ${{ inputs.projectPrefix }} env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 414fd32..87d1357 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -60,7 +60,7 @@ jobs: with: cvssThreshold: "99.0" monitor: "false" - projectName: test-drain-cleaner + projectPrefix: test-drain-cleaner uploadToCodeScanning: "true" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -98,7 +98,7 @@ jobs: uses: actions/github-script@v9 env: INPUT_SHA: ${{ github.sha }} - ARTIFACT_NAME: "containers-drain-cleaner-amd64.tar" + ARTIFACT_NAME: "containers-operators-amd64.tar" MAX_WAIT_MINUTES: "80" with: script: | @@ -190,11 +190,11 @@ jobs: - name: Run Snyk container scan uses: ./.github/actions/security/snyk-container-scan with: - containerArtifact: containers-drain-cleaner-amd64.tar + containerArtifact: containers-operators-amd64.tar runId: ${{ needs.wait-for-container-artifact.outputs.run-id }} cvssThreshold: "99.0" monitor: "false" - projectName: test-drain-cleaner + projectPrefix: test-operators uploadToCodeScanning: "true" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -202,7 +202,7 @@ jobs: - name: Download SARIF artifacts uses: actions/download-artifact@v7 with: - name: snyk-container-sarif-test-drain-cleaner + name: snyk-container-sarif-test-operators path: sarif-output - name: Verify SARIF artifacts From 3497f2290e8838bbc54dc8eeddc7dbc276ba5578 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 4 Jun 2026 16:29:01 +0200 Subject: [PATCH 16/26] Find all tarballs in the repo Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-container-scan/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index e9c929e..d5a783d 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -51,7 +51,7 @@ runs: FAILED=0 SCANNED=0 - for archive in $(find . -name "*container*.tar.gz" -type f); do + for archive in $(find . -name "*.tar.gz" -type f); do IMAGE_NAME=$(basename "$archive" .tar.gz) echo "==========================================" From f154d19fcf3ce7ddbee73f9da622ba180c302e18 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 4 Jun 2026 19:36:54 +0200 Subject: [PATCH 17/26] Upload with action Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index d5a783d..dc65c22 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -116,19 +116,17 @@ runs: end' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" done - - name: Upload SARIF files to GitHub Code Scanning - if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} + - name: Prepare SARIF files for upload shell: bash - env: - GH_TOKEN: ${{ github.token }} run: | + mkdir -p sarif-upload for sarif in snyk-container-*.sarif; do [ -f "$sarif" ] || continue IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') CATEGORY="snyk-container-${IMAGE_NAME}" RUN_COUNT=$(jq '.runs | length' "$sarif") - echo "Uploading SARIF for image: $IMAGE_NAME ($RUN_COUNT run(s), category: $CATEGORY)" + echo "Preparing SARIF for image: $IMAGE_NAME ($RUN_COUNT run(s), category: $CATEGORY)" for i in $(seq 0 $((RUN_COUNT - 1))); do jq --argjson idx "$i" --arg cat "${CATEGORY}/${i}" --arg img "$IMAGE_NAME" ' @@ -136,18 +134,17 @@ runs: | .automationDetails.id = $cat | .tool.driver.name = (.tool.driver.name + " (" + $img + ")") ] - ' "$sarif" > "upload-${IMAGE_NAME}-${i}.sarif" - - ENCODED=$(gzip -c "upload-${IMAGE_NAME}-${i}.sarif" | base64 -w0) - gh api \ - -X POST \ - "/repos/$GITHUB_REPOSITORY/code-scanning/sarifs" \ - -f commit_sha="$GITHUB_SHA" \ - -f ref="$GITHUB_REF" \ - -f sarif="$ENCODED" - echo "Uploaded run $i for $IMAGE_NAME" + ' "$sarif" > "sarif-upload/${IMAGE_NAME}-${i}.sarif" done done + echo "Prepared $(find sarif-upload -name '*.sarif' | wc -l) SARIF file(s) for upload" + + - name: Upload SARIF to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v4 + if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} + with: + sarif_file: sarif-upload + wait-for-processing: true - name: Upload SARIF artifacts uses: actions/upload-artifact@v7 From 98eb57b8048ba18aed4b71d623fdf3841113eea7 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 4 Jun 2026 20:59:35 +0200 Subject: [PATCH 18/26] Try differnt approach Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 46 +++++++++---------- .github/workflows/reusable-snyk-scan.yml | 25 ++++++++++ .github/workflows/test-snyk.yml | 28 ++++++++++- 3 files changed, 72 insertions(+), 27 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index dc65c22..d960431 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -1,5 +1,5 @@ name: "Snyk Container Scan" -description: "Download container archive, discover images, and run Snyk container scan on each with SARIF upload and CVSS threshold check" +description: "Download container archive, discover images, and run Snyk container scan on each with CVSS threshold check" inputs: containerArtifact: @@ -16,14 +16,15 @@ inputs: projectPrefix: description: "Project prefix for Snyk dashboard and SARIF artifact naming (e.g., 'strimzi')" required: true - uploadToCodeScanning: - description: "Whether to upload SARIF results to GitHub Code Scanning" - required: false - default: "true" runId: description: "Workflow run ID to download the container artifact from" required: true +outputs: + images: + description: "JSON array of scanned image names (for matrix upload)" + value: ${{ steps.prepare-sarif.outputs.images }} + runs: using: "composite" steps: @@ -105,28 +106,25 @@ runs: exit 1 fi - - name: Sanitize SARIF security-severity values + - name: Prepare SARIF files for upload + id: prepare-sarif shell: bash run: | + IMAGE_LIST="[]" for sarif in snyk-container-*.sarif; do [ -f "$sarif" ] || continue + IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') + + # Sanitize security-severity values jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |= if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" else . end' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" - done - - name: Prepare SARIF files for upload - shell: bash - run: | - mkdir -p sarif-upload - for sarif in snyk-container-*.sarif; do - [ -f "$sarif" ] || continue - IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') + # Split multi-run SARIFs into individual files in per-image directories + mkdir -p "sarif-upload/${IMAGE_NAME}" CATEGORY="snyk-container-${IMAGE_NAME}" - RUN_COUNT=$(jq '.runs | length' "$sarif") - echo "Preparing SARIF for image: $IMAGE_NAME ($RUN_COUNT run(s), category: $CATEGORY)" for i in $(seq 0 $((RUN_COUNT - 1))); do jq --argjson idx "$i" --arg cat "${CATEGORY}/${i}" --arg img "$IMAGE_NAME" ' @@ -134,22 +132,20 @@ runs: | .automationDetails.id = $cat | .tool.driver.name = (.tool.driver.name + " (" + $img + ")") ] - ' "$sarif" > "sarif-upload/${IMAGE_NAME}-${i}.sarif" + ' "$sarif" > "sarif-upload/${IMAGE_NAME}/run-${i}.sarif" done + + IMAGE_LIST=$(echo "$IMAGE_LIST" | jq --arg img "$IMAGE_NAME" '. + [$img]') + echo "Prepared $RUN_COUNT SARIF run(s) for $IMAGE_NAME" done - echo "Prepared $(find sarif-upload -name '*.sarif' | wc -l) SARIF file(s) for upload" - - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 - if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} - with: - sarif_file: sarif-upload - wait-for-processing: true + echo "images=${IMAGE_LIST}" >> "$GITHUB_OUTPUT" + echo "Image list: ${IMAGE_LIST}" - name: Upload SARIF artifacts uses: actions/upload-artifact@v7 if: always() with: name: snyk-container-sarif-${{ inputs.projectPrefix }} - path: snyk-container-*.sarif + path: sarif-upload/ retention-days: 30 diff --git a/.github/workflows/reusable-snyk-scan.yml b/.github/workflows/reusable-snyk-scan.yml index 3d993e8..e3ea311 100644 --- a/.github/workflows/reusable-snyk-scan.yml +++ b/.github/workflows/reusable-snyk-scan.yml @@ -102,11 +102,14 @@ jobs: if: ${{ inputs.scanContainers }} runs-on: ubuntu-latest timeout-minutes: 60 + outputs: + images: ${{ steps.scan.outputs.images }} steps: - name: Install Docker uses: strimzi/github-actions/.github/actions/dependencies/install-docker@main - name: Run Snyk container scan + id: scan uses: strimzi/github-actions/.github/actions/security/snyk-container-scan@main with: containerArtifact: ${{ inputs.containerArtifact }} @@ -116,3 +119,25 @@ jobs: projectPrefix: ${{ inputs.projectPrefix }} env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + snyk-container-upload-sarif: + name: Upload Container SARIF (${{ matrix.image }}) + if: ${{ inputs.scanContainers && needs.snyk-containers.result == 'success' }} + needs: snyk-containers + runs-on: ubuntu-latest + timeout-minutes: 10 + strategy: + matrix: + image: ${{ fromJson(needs.snyk-containers.outputs.images) }} + steps: + - name: Download SARIF artifacts + uses: actions/download-artifact@v7 + with: + name: snyk-container-sarif-${{ inputs.projectPrefix }} + path: sarif-download + + - name: Upload SARIF to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: sarif-download/${{ matrix.image }} + wait-for-processing: true diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 87d1357..cf66659 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -171,6 +171,8 @@ jobs: needs: wait-for-container-artifact runs-on: ubuntu-latest timeout-minutes: 30 + outputs: + images: ${{ steps.scan.outputs.images }} steps: - name: Checkout github-actions uses: actions/checkout@v6 @@ -188,6 +190,7 @@ jobs: uses: ./.github/actions/dependencies/install-docker - name: Run Snyk container scan + id: scan uses: ./.github/actions/security/snyk-container-scan with: containerArtifact: containers-operators-amd64.tar @@ -195,7 +198,6 @@ jobs: cvssThreshold: "99.0" monitor: "false" projectPrefix: test-operators - uploadToCodeScanning: "true" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -214,7 +216,7 @@ jobs: exit 1 fi echo "Found $SARIF_COUNT SARIF file(s)" - for sarif in sarif-output/*.sarif; do + for sarif in $(find sarif-output -name "*.sarif" -type f); do if [ ! -s "$sarif" ]; then echo "SARIF file is empty: $sarif" exit 1 @@ -222,3 +224,25 @@ jobs: jq empty "$sarif" echo "$(basename "$sarif"): valid JSON with $(jq '.runs | length' "$sarif") run(s)" done + + upload-container-sarif: + name: Upload Container SARIF (${{ matrix.image }}) + if: ${{ needs.test-snyk-container-scan.result == 'success' }} + needs: test-snyk-container-scan + runs-on: ubuntu-latest + timeout-minutes: 10 + strategy: + matrix: + image: ${{ fromJson(needs.test-snyk-container-scan.outputs.images) }} + steps: + - name: Download SARIF artifacts + uses: actions/download-artifact@v7 + with: + name: snyk-container-sarif-test-operators + path: sarif-download + + - name: Upload SARIF to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: sarif-download/${{ matrix.image }} + wait-for-processing: true From fb9d097d12d8e9c75f13ecbf39102196aebed40c Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Thu, 4 Jun 2026 21:27:21 +0200 Subject: [PATCH 19/26] Remove pretty print Signed-off-by: Jakub Stejskal --- .github/actions/security/snyk-container-scan/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index d960431..7e300c3 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -135,7 +135,7 @@ runs: ' "$sarif" > "sarif-upload/${IMAGE_NAME}/run-${i}.sarif" done - IMAGE_LIST=$(echo "$IMAGE_LIST" | jq --arg img "$IMAGE_NAME" '. + [$img]') + IMAGE_LIST=$(echo "$IMAGE_LIST" | jq -c --arg img "$IMAGE_NAME" '. + [$img]') echo "Prepared $RUN_COUNT SARIF run(s) for $IMAGE_NAME" done From db18d0177ab40a3c587b4d81f76bcc773369562e Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Fri, 5 Jun 2026 21:35:13 +0200 Subject: [PATCH 20/26] Try better approach for reporting Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 194 ++++++++---------- .github/workflows/reusable-snyk-scan.yml | 143 ------------- .github/workflows/test-snyk.yml | 103 +++++----- 3 files changed, 131 insertions(+), 309 deletions(-) delete mode 100644 .github/workflows/reusable-snyk-scan.yml diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 7e300c3..fd56f03 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -1,9 +1,12 @@ name: "Snyk Container Scan" -description: "Download container archive, discover images, and run Snyk container scan on each with CVSS threshold check" +description: "Scan a single container image with Snyk, upload results to Code Scanning, and check CVSS threshold" inputs: - containerArtifact: - description: "Name of the container archive artifact to download" + imageFile: + description: "Path to container image file for docker load" + required: true + image: + description: "Image name for SARIF naming and categorization" required: true cvssThreshold: description: "Fail if any CVE has CVSS score above this value" @@ -14,16 +17,12 @@ inputs: required: false default: "false" projectPrefix: - description: "Project prefix for Snyk dashboard and SARIF artifact naming (e.g., 'strimzi')" - required: true - runId: - description: "Workflow run ID to download the container artifact from" + description: "Project prefix for Snyk dashboard (e.g., 'strimzi')" required: true - -outputs: - images: - description: "JSON array of scanned image names (for matrix upload)" - value: ${{ steps.prepare-sarif.outputs.images }} + uploadToCodeScanning: + description: "Whether to upload SARIF results to GitHub Code Scanning" + required: false + default: "true" runs: using: "composite" @@ -31,121 +30,94 @@ runs: - name: Setup Snyk CLI uses: snyk/actions/setup@master - - name: Download container artifact - uses: actions/download-artifact@v7 - with: - name: ${{ inputs.containerArtifact }} - run-id: ${{ inputs.runId }} - github-token: ${{ github.token }} - - - name: Untar container archive - shell: bash - run: | - tar -xvf ${{ inputs.containerArtifact }} - - - name: Scan container images + - name: Load and scan image shell: bash + continue-on-error: true env: - CVSS_THRESHOLD: ${{ inputs.cvssThreshold }} - MONITOR: ${{ inputs.monitor }} + IMAGE_FILE: ${{ inputs.imageFile }} + IMAGE_NAME: ${{ inputs.image }} run: | - FAILED=0 - SCANNED=0 - - for archive in $(find . -name "*.tar.gz" -type f); do - IMAGE_NAME=$(basename "$archive" .tar.gz) - - echo "==========================================" - echo "Scanning image: $IMAGE_NAME" - echo "==========================================" - - LOAD_OUTPUT=$(docker load < "$archive") - echo "$LOAD_OUTPUT" - LOADED_IMAGE=$(echo "$LOAD_OUTPUT" | grep "Loaded image" | sed 's/Loaded image: //') - - if [ -z "$LOADED_IMAGE" ]; then - echo "::warning::Could not determine loaded image tag for $IMAGE_NAME, skipping" - continue - fi - - SARIF_FILE="snyk-container-${IMAGE_NAME}.sarif" - JSON_FILE="snyk-container-${IMAGE_NAME}.json" - - snyk container test "$LOADED_IMAGE" \ - --sarif-file-output="$SARIF_FILE" \ - --json-file-output="$JSON_FILE" || true - - if [ "$MONITOR" = "true" ]; then - MONITOR_PROJECT="${LOADED_IMAGE%%:*}" - MONITOR_REVISION="${LOADED_IMAGE##*:}" - snyk container monitor "$LOADED_IMAGE" \ - --project-name="$MONITOR_PROJECT" \ - --target-reference="$MONITOR_REVISION" || true - fi - - if [ -f "$JSON_FILE" ]; then - COUNT=$(jq --argjson t "$CVSS_THRESHOLD" ' - if type == "array" then - [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length - else - [.vulnerabilities[]? | select(.cvssScore > $t)] | length - end' "$JSON_FILE") - if [ "$COUNT" -gt 0 ]; then - echo "::error::Image $IMAGE_NAME has $COUNT vulnerabilities with CVSS score > $CVSS_THRESHOLD" - FAILED=$((FAILED + 1)) - fi - fi - - SCANNED=$((SCANNED + 1)) - done + if [ ! -f "$IMAGE_FILE" ]; then + echo "::error::Image file not found: $IMAGE_FILE" + exit 1 + fi - echo "Scanned $SCANNED image(s)" + LOAD_OUTPUT=$(docker load < "$IMAGE_FILE") + echo "$LOAD_OUTPUT" + LOADED_IMAGE=$(echo "$LOAD_OUTPUT" | grep "Loaded image" | sed 's/Loaded image: //') - if [ "$FAILED" -gt 0 ]; then - echo "::error::CVSS threshold exceeded for $FAILED image(s)" + if [ -z "$LOADED_IMAGE" ]; then + echo "::error::Could not determine loaded image tag for $IMAGE_NAME" exit 1 fi - - name: Prepare SARIF files for upload - id: prepare-sarif + echo "LOADED_IMAGE=$LOADED_IMAGE" >> "$GITHUB_ENV" + + snyk container test "$LOADED_IMAGE" \ + --sarif-file-output="snyk-container-${IMAGE_NAME}.sarif" \ + --json-file-output="snyk-container-${IMAGE_NAME}.json" + + - name: Sanitize SARIF security-severity values shell: bash + env: + IMAGE_NAME: ${{ inputs.image }} run: | - IMAGE_LIST="[]" - for sarif in snyk-container-*.sarif; do - [ -f "$sarif" ] || continue - IMAGE_NAME=$(basename "$sarif" .sarif | sed 's/snyk-container-//') - - # Sanitize security-severity values + SARIF_FILE="snyk-container-${IMAGE_NAME}.sarif" + if [ -f "$SARIF_FILE" ]; then jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |= if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" else . - end' "$sarif" > "${sarif}.tmp" && mv "${sarif}.tmp" "$sarif" - - # Split multi-run SARIFs into individual files in per-image directories - mkdir -p "sarif-upload/${IMAGE_NAME}" - CATEGORY="snyk-container-${IMAGE_NAME}" - RUN_COUNT=$(jq '.runs | length' "$sarif") - - for i in $(seq 0 $((RUN_COUNT - 1))); do - jq --argjson idx "$i" --arg cat "${CATEGORY}/${i}" --arg img "$IMAGE_NAME" ' - .runs = [.runs[$idx] - | .automationDetails.id = $cat - | .tool.driver.name = (.tool.driver.name + " (" + $img + ")") - ] - ' "$sarif" > "sarif-upload/${IMAGE_NAME}/run-${i}.sarif" - done - - IMAGE_LIST=$(echo "$IMAGE_LIST" | jq -c --arg img "$IMAGE_NAME" '. + [$img]') - echo "Prepared $RUN_COUNT SARIF run(s) for $IMAGE_NAME" - done + end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE" + fi - echo "images=${IMAGE_LIST}" >> "$GITHUB_OUTPUT" - echo "Image list: ${IMAGE_LIST}" + - name: Upload SARIF to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v4 + if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} + with: + sarif_file: snyk-container-${{ inputs.image }}.sarif + category: snyk-container-${{ inputs.image }} + wait-for-processing: true - - name: Upload SARIF artifacts + - name: Upload SARIF as workflow artifact uses: actions/upload-artifact@v7 if: always() with: - name: snyk-container-sarif-${{ inputs.projectPrefix }} - path: sarif-upload/ + name: snyk-container-sarif-${{ inputs.image }} + path: snyk-container-${{ inputs.image }}.sarif retention-days: 30 + + - name: Run Snyk monitor + if: ${{ inputs.monitor == 'true' }} + shell: bash + continue-on-error: true + run: | + if [ -n "$LOADED_IMAGE" ]; then + MONITOR_PROJECT="${LOADED_IMAGE%%:*}" + MONITOR_REVISION="${LOADED_IMAGE##*:}" + snyk container monitor "$LOADED_IMAGE" \ + --project-name="$MONITOR_PROJECT" \ + --target-reference="$MONITOR_REVISION" + fi + + - name: Check CVSS threshold + shell: bash + env: + IMAGE_NAME: ${{ inputs.image }} + run: | + THRESHOLD=${{ inputs.cvssThreshold }} + JSON_FILE="snyk-container-${IMAGE_NAME}.json" + if [ -f "$JSON_FILE" ]; then + COUNT=$(jq --argjson t "$THRESHOLD" ' + if type == "array" then + [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length + else + [.vulnerabilities[]? | select(.cvssScore > $t)] | length + end' "$JSON_FILE") + if [ "$COUNT" -gt 0 ]; then + echo "::error::Image $IMAGE_NAME has $COUNT vulnerabilities with CVSS score > $THRESHOLD" + exit 1 + fi + echo "No vulnerabilities found with CVSS score > $THRESHOLD" + else + echo "No Snyk results file found, skipping CVSS threshold check" + fi diff --git a/.github/workflows/reusable-snyk-scan.yml b/.github/workflows/reusable-snyk-scan.yml deleted file mode 100644 index e3ea311..0000000 --- a/.github/workflows/reusable-snyk-scan.yml +++ /dev/null @@ -1,143 +0,0 @@ -name: Snyk Security Scan Pipeline - -on: - workflow_call: - inputs: - scanMaven: - description: "Run Maven dependency scan" - required: false - type: boolean - default: true - scanContainers: - description: "Run container image scan" - required: false - type: boolean - default: false - containerArtifact: - description: "Name of container archive artifact to download (e.g., containers-operators-amd64)" - required: false - type: string - default: "" - containerArtifactRunId: - description: "Workflow run ID to download the container artifact from" - required: false - type: string - default: "" - cvssThreshold: - description: "CVSS score threshold — fail if any CVE scores above this" - required: false - type: string - default: "8.0" - javaVersion: - description: "Java version to use for build" - required: false - type: string - default: "21" - monitor: - description: "Run 'snyk monitor' to upload results to the Snyk dashboard" - required: false - type: boolean - default: false - projectPrefix: - description: "Project prefix for Snyk dashboard (e.g., 'strimzi')" - required: true - type: string - ref: - description: "Git ref to checkout" - required: false - type: string - default: "" - secrets: - SNYK_TOKEN: - required: true - -permissions: - contents: read - security-events: write - actions: read - -jobs: - snyk-maven: - name: Snyk Maven Scan - if: ${{ inputs.scanMaven }} - runs-on: ubuntu-latest - timeout-minutes: 60 - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - ref: ${{ inputs.ref || '' }} - - - name: Setup Java and Maven - uses: strimzi/github-actions/.github/actions/dependencies/setup-java@main - with: - javaVersion: ${{ inputs.javaVersion }} - - - name: Install yq - uses: strimzi/github-actions/.github/actions/dependencies/install-yq@main - - - name: Restore Maven cache - uses: actions/cache/restore@v5 - with: - path: ~/.m2/repository - key: maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - maven- - - - name: Build Maven project - shell: bash - run: mvn -B -DskipTests -Dmaven.javadoc.skip=true clean install - - - name: Run Snyk Maven scan - uses: strimzi/github-actions/.github/actions/security/snyk-maven-scan@main - with: - cvssThreshold: ${{ inputs.cvssThreshold }} - monitor: ${{ inputs.monitor }} - projectPrefix: ${{ inputs.projectPrefix }} - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - snyk-containers: - name: Snyk Container Scan - if: ${{ inputs.scanContainers }} - runs-on: ubuntu-latest - timeout-minutes: 60 - outputs: - images: ${{ steps.scan.outputs.images }} - steps: - - name: Install Docker - uses: strimzi/github-actions/.github/actions/dependencies/install-docker@main - - - name: Run Snyk container scan - id: scan - uses: strimzi/github-actions/.github/actions/security/snyk-container-scan@main - with: - containerArtifact: ${{ inputs.containerArtifact }} - runId: ${{ inputs.containerArtifactRunId }} - cvssThreshold: ${{ inputs.cvssThreshold }} - monitor: ${{ inputs.monitor }} - projectPrefix: ${{ inputs.projectPrefix }} - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - snyk-container-upload-sarif: - name: Upload Container SARIF (${{ matrix.image }}) - if: ${{ inputs.scanContainers && needs.snyk-containers.result == 'success' }} - needs: snyk-containers - runs-on: ubuntu-latest - timeout-minutes: 10 - strategy: - matrix: - image: ${{ fromJson(needs.snyk-containers.outputs.images) }} - steps: - - name: Download SARIF artifacts - uses: actions/download-artifact@v7 - with: - name: snyk-container-sarif-${{ inputs.projectPrefix }} - path: sarif-download - - - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: sarif-download/${{ matrix.image }} - wait-for-processing: true diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index cf66659..3026a59 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -166,83 +166,76 @@ jobs: await new Promise(resolve => setTimeout(resolve, 30000)); } - test-snyk-container-scan: - name: Test Snyk Container Scan + test-snyk-container-scan-operators: + name: Test Snyk Container Scan (${{ matrix.image }}) needs: wait-for-container-artifact runs-on: ubuntu-latest timeout-minutes: 30 - outputs: - images: ${{ steps.scan.outputs.images }} + strategy: + matrix: + image: + - buildah-latest-amd64 + - kafka-build-kafka-4.1.0-amd64 + - kafka-build-kafka-4.1.1-amd64 + - kafka-build-kafka-4.2.0-amd64 + - kaniko-executor-latest-amd64 + - maven-builder-latest-amd64 + - operator-latest-amd64 steps: - name: Checkout github-actions uses: actions/checkout@v6 - with: - repository: strimzi/github-actions - ref: ${{ github.sha }} - path: github-actions - - - name: Setup actions for testing - run: | - mkdir -p .github/actions - cp -r github-actions/.github/actions/* .github/actions/ - name: Install Docker uses: ./.github/actions/dependencies/install-docker + - name: Download container archive + uses: actions/download-artifact@v7 + with: + name: containers-operators-amd64.tar + run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }} + github-token: ${{ github.token }} + + - name: Untar container archive + run: tar -xvf containers-operators-amd64.tar + - name: Run Snyk container scan - id: scan uses: ./.github/actions/security/snyk-container-scan with: - containerArtifact: containers-operators-amd64.tar - runId: ${{ needs.wait-for-container-artifact.outputs.run-id }} + imageFile: docker-images/container-archives/${{ matrix.image }}.tar + image: ${{ matrix.image }} cvssThreshold: "99.0" monitor: "false" projectPrefix: test-operators env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Download SARIF artifacts - uses: actions/download-artifact@v7 - with: - name: snyk-container-sarif-test-operators - path: sarif-output - - - name: Verify SARIF artifacts - shell: bash - run: | - SARIF_COUNT=$(find sarif-output -name "*.sarif" -type f | wc -l) - if [ "$SARIF_COUNT" -eq 0 ]; then - echo "No SARIF files found in artifacts" - exit 1 - fi - echo "Found $SARIF_COUNT SARIF file(s)" - for sarif in $(find sarif-output -name "*.sarif" -type f); do - if [ ! -s "$sarif" ]; then - echo "SARIF file is empty: $sarif" - exit 1 - fi - jq empty "$sarif" - echo "$(basename "$sarif"): valid JSON with $(jq '.runs | length' "$sarif") run(s)" - done - - upload-container-sarif: - name: Upload Container SARIF (${{ matrix.image }}) - if: ${{ needs.test-snyk-container-scan.result == 'success' }} - needs: test-snyk-container-scan + test-snyk-container-scan-drain-cleaner: + name: Test Snyk Container Scan (drain-cleaner) + needs: wait-for-container-artifact runs-on: ubuntu-latest - timeout-minutes: 10 - strategy: - matrix: - image: ${{ fromJson(needs.test-snyk-container-scan.outputs.images) }} + timeout-minutes: 30 + steps: - - name: Download SARIF artifacts + - name: Checkout github-actions + uses: actions/checkout@v6 + + - name: Install Docker + uses: ./.github/actions/dependencies/install-docker + + - name: Download container archive uses: actions/download-artifact@v7 with: - name: snyk-container-sarif-test-operators - path: sarif-download + name: containers-drain-cleaner-amd64.tar + run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }} + github-token: ${{ github.token }} - - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 + - name: Run Snyk container scan + uses: ./.github/actions/security/snyk-container-scan with: - sarif_file: sarif-download/${{ matrix.image }} - wait-for-processing: true + imageFile: containers-drain-cleaner-amd64.tar + image: drain-cleaner-amd64 + cvssThreshold: "99.0" + monitor: "false" + projectPrefix: test-drain-cleaner + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 0bd2295135a507fc88ce75ed442f4222e10dec97 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Fri, 5 Jun 2026 22:37:00 +0200 Subject: [PATCH 21/26] Fix archives names Signed-off-by: Jakub Stejskal --- .github/workflows/test-snyk.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 3026a59..4214502 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -201,7 +201,7 @@ jobs: - name: Run Snyk container scan uses: ./.github/actions/security/snyk-container-scan with: - imageFile: docker-images/container-archives/${{ matrix.image }}.tar + imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz image: ${{ matrix.image }} cvssThreshold: "99.0" monitor: "false" @@ -229,10 +229,13 @@ jobs: run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }} github-token: ${{ github.token }} + - name: Untar container archive + run: tar -xvf containers-drain-cleaner-amd64.tar + - name: Run Snyk container scan uses: ./.github/actions/security/snyk-container-scan with: - imageFile: containers-drain-cleaner-amd64.tar + imageFile: drain-cleaner-container-amd64.tar.gz image: drain-cleaner-amd64 cvssThreshold: "99.0" monitor: "false" From bde155686ce11f864b3570595c124825c362a28e Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Fri, 5 Jun 2026 23:46:48 +0200 Subject: [PATCH 22/26] Change tool names Signed-off-by: Jakub Stejskal --- .../actions/security/snyk-container-scan/action.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index fd56f03..a6da3c1 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -64,10 +64,12 @@ runs: run: | SARIF_FILE="snyk-container-${IMAGE_NAME}.sarif" if [ -f "$SARIF_FILE" ]; then - jq '(.runs[].tool.driver.rules[]?.properties."security-severity") |= - if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" - else . - end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE" + jq --arg name "Snyk Container ($IMAGE_NAME)" ' + (.runs[].tool.driver.name) = $name | + (.runs[].tool.driver.rules[]?.properties."security-severity") |= + if . == null or . == "undefined" or (tostring | test("^[0-9]") | not) then "0.0" + else . + end' "$SARIF_FILE" > "${SARIF_FILE}.tmp" && mv "${SARIF_FILE}.tmp" "$SARIF_FILE" fi - name: Upload SARIF to GitHub Code Scanning From ad9b2a34989f5a6b71a0c9b7eb9fb02793ef1af1 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Sat, 6 Jun 2026 22:40:37 +0200 Subject: [PATCH 23/26] Test monitor and add check for sarif files Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 2 +- .github/workflows/test-snyk.yml | 34 ++++++++++++++++++- 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index a6da3c1..33ca8d9 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -22,7 +22,7 @@ inputs: uploadToCodeScanning: description: "Whether to upload SARIF results to GitHub Code Scanning" required: false - default: "true" + default: "false" runs: using: "composite" diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 4214502..856864a 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -205,10 +205,26 @@ jobs: image: ${{ matrix.image }} cvssThreshold: "99.0" monitor: "false" + uploadToCodeScanning: "false" projectPrefix: test-operators env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Verify SARIF artifact + shell: bash + run: | + SARIF_FILE="snyk-container-${{ matrix.image }}.sarif" + if [ ! -f "$SARIF_FILE" ]; then + echo "SARIF file not found: $SARIF_FILE" + exit 1 + fi + if [ ! -s "$SARIF_FILE" ]; then + echo "SARIF file is empty: $SARIF_FILE" + exit 1 + fi + jq empty "$SARIF_FILE" + echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)" + test-snyk-container-scan-drain-cleaner: name: Test Snyk Container Scan (drain-cleaner) needs: wait-for-container-artifact @@ -238,7 +254,23 @@ jobs: imageFile: drain-cleaner-container-amd64.tar.gz image: drain-cleaner-amd64 cvssThreshold: "99.0" - monitor: "false" + monitor: "true" + uploadToCodeScanning: "false" projectPrefix: test-drain-cleaner env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + - name: Verify SARIF artifact + shell: bash + run: | + SARIF_FILE="snyk-container-drain-cleaner-amd64.sarif" + if [ ! -f "$SARIF_FILE" ]; then + echo "SARIF file not found: $SARIF_FILE" + exit 1 + fi + if [ ! -s "$SARIF_FILE" ]; then + echo "SARIF file is empty: $SARIF_FILE" + exit 1 + fi + jq empty "$SARIF_FILE" + echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)" From b4a12059fdf93e5525faf2f2e042b3c2755521ef Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Mon, 8 Jun 2026 22:28:53 +0200 Subject: [PATCH 24/26] Pin versions by diggest and add comments Signed-off-by: Jakub Stejskal # Conflicts: # .github/workflows/test-integrations.yml --- .../security/snyk-container-scan/action.yml | 12 ++++-- .../security/snyk-maven-scan/action.yml | 11 ++++-- .github/workflows/test-snyk.yml | 38 ++++++++++--------- 3 files changed, 36 insertions(+), 25 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 33ca8d9..274a143 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -12,7 +12,7 @@ inputs: description: "Fail if any CVE has CVSS score above this value" required: false default: "8.0" - monitor: + snykMonitor: description: "Whether to also run 'snyk container monitor'" required: false default: "false" @@ -28,7 +28,7 @@ runs: using: "composite" steps: - name: Setup Snyk CLI - uses: snyk/actions/setup@master + uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 - name: Load and scan image shell: bash @@ -57,6 +57,9 @@ runs: --sarif-file-output="snyk-container-${IMAGE_NAME}.sarif" \ --json-file-output="snyk-container-${IMAGE_NAME}.json" + # This is used to set severity score to 0.0 for those results that has empty value for it. + # Empty value is not supported by GitHub Code Scanning page + # It also set tool.driver.name to distinguish between different tools within UI (different tool = different image) - name: Sanitize SARIF security-severity values shell: bash env: @@ -73,7 +76,7 @@ runs: fi - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} with: sarif_file: snyk-container-${{ inputs.image }}.sarif @@ -81,13 +84,14 @@ runs: wait-for-processing: true - name: Upload SARIF as workflow artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: snyk-container-sarif-${{ inputs.image }} path: snyk-container-${{ inputs.image }}.sarif retention-days: 30 + # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports - name: Run Snyk monitor if: ${{ inputs.monitor == 'true' }} shell: bash diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index 27ada23..480b9cf 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -6,7 +6,7 @@ inputs: description: "Fail if any CVE has CVSS score above this value" required: false default: "8.0" - monitor: + snykMonitor: description: "Whether to also run 'snyk monitor'" required: false default: "false" @@ -22,7 +22,7 @@ runs: using: "composite" steps: - name: Setup Snyk CLI - uses: snyk/actions/setup@master + uses: snyk/actions/setup@9adf32b1121593767fc3c057af55b55db032dc04 # v1.0.0 - name: Run Snyk test shell: bash @@ -32,6 +32,8 @@ runs: --sarif-file-output=snyk-maven-${{ inputs.projectPrefix }}.sarif \ --json-file-output=snyk-results.json + # This is used to set severity score to 0.0 for those results that has empty value for it. + # Empty value is not supported by GitHub Code Scanning page - name: Sanitize SARIF security-severity values shell: bash run: | @@ -44,7 +46,7 @@ runs: fi - name: Upload SARIF to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 if: ${{ always() && inputs.uploadToCodeScanning == 'true' }} with: sarif_file: snyk-maven-${{ inputs.projectPrefix }}.sarif @@ -52,13 +54,14 @@ runs: wait-for-processing: true - name: Upload SARIF as workflow artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: always() with: name: snyk-maven-${{ inputs.projectPrefix }}.sarif path: snyk-maven-${{ inputs.projectPrefix }}.sarif retention-days: 30 + # Monitor command is used for upload snapshot of the scan to Snyk App where Snyk will do daily scans and can generate reports - name: Run Snyk monitor if: ${{ inputs.monitor == 'true' }} shell: bash diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index 856864a..d132c78 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -23,15 +23,15 @@ jobs: timeout-minutes: 60 steps: - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.sha }} - name: Checkout strimzi/drain-cleaner - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: repository: strimzi/drain-cleaner - ref: main + ref: 1.6.0 path: drain-cleaner - name: Copy drain-cleaner project to workspace root @@ -44,7 +44,7 @@ jobs: uses: ./.github/actions/dependencies/install-yq - name: Restore Maven cache - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.m2/repository key: maven-${{ hashFiles('**/pom.xml') }} @@ -59,14 +59,16 @@ jobs: uses: ./.github/actions/security/snyk-maven-scan with: cvssThreshold: "99.0" - monitor: "false" + # Keep false to avoid uploading testing results to Snyk App + snykMonitor: "false" + # Keep false to avoid uploading results to GitHub Code Scanning page + uploadToCodeScanning: "false" projectPrefix: test-drain-cleaner - uploadToCodeScanning: "true" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - name: Download SARIF artifact - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: snyk-maven-test-drain-cleaner.sarif path: sarif-output @@ -86,6 +88,8 @@ jobs: jq empty "$SARIF_FILE" echo "SARIF file is valid JSON with $(jq '.runs | length' "$SARIF_FILE") run(s)" + # Test workflow loads image artifacts from test-integrations workflow. + # To avoid additional image build, the scan check will wait until integration workflow store the artifacts wait-for-container-artifact: name: Wait for Container Artifact runs-on: ubuntu-latest @@ -95,7 +99,7 @@ jobs: steps: - name: Wait for container artifact id: find-build - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 env: INPUT_SHA: ${{ github.sha }} ARTIFACT_NAME: "containers-operators-amd64.tar" @@ -174,22 +178,20 @@ jobs: strategy: matrix: image: + # Kafka images are not here to avoid need to change Kafka versions on multiple places when we bump operators repo versions for testing - buildah-latest-amd64 - - kafka-build-kafka-4.1.0-amd64 - - kafka-build-kafka-4.1.1-amd64 - - kafka-build-kafka-4.2.0-amd64 - kaniko-executor-latest-amd64 - maven-builder-latest-amd64 - operator-latest-amd64 steps: - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Docker uses: ./.github/actions/dependencies/install-docker - name: Download container archive - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: containers-operators-amd64.tar run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }} @@ -204,7 +206,7 @@ jobs: imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz image: ${{ matrix.image }} cvssThreshold: "99.0" - monitor: "false" + snykMonitor: "false" uploadToCodeScanning: "false" projectPrefix: test-operators env: @@ -233,13 +235,13 @@ jobs: steps: - name: Checkout github-actions - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Docker uses: ./.github/actions/dependencies/install-docker - name: Download container archive - uses: actions/download-artifact@v7 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: containers-drain-cleaner-amd64.tar run-id: ${{ needs.wait-for-container-artifact.outputs.run-id }} @@ -254,7 +256,9 @@ jobs: imageFile: drain-cleaner-container-amd64.tar.gz image: drain-cleaner-amd64 cvssThreshold: "99.0" - monitor: "true" + # Keep false to avoid uploading testing results to Snyk App + snykMonitor: "false" + # Keep false to avoid uploading results to GitHub Code Scanning page uploadToCodeScanning: "false" projectPrefix: test-drain-cleaner env: From ef37aa052d1b41296a3f6fa9162029f8ce4a52ce Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Mon, 8 Jun 2026 23:08:46 +0200 Subject: [PATCH 25/26] Remove testing branch Signed-off-by: Jakub Stejskal --- .github/workflows/test-integrations.yml | 1 - .github/workflows/test-snyk.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml index a374428..ffe1a3f 100644 --- a/.github/workflows/test-integrations.yml +++ b/.github/workflows/test-integrations.yml @@ -8,7 +8,6 @@ on: branches: - "main" - "release-*" - - "add-snyk-actions" # Declare default permissions as read only permissions: diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index d132c78..bb033f8 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -1,11 +1,11 @@ name: Snyk Scan Tests on: + # Due to security constraints we cannot run the workflow on PRs due to missing secrets on PRs from forks push: branches: - "main" - "release-*" - - "add-snyk-actions" permissions: contents: read From 180a50e106281f03848c3b3c3bf628c760793cd4 Mon Sep 17 00:00:00 2001 From: Jakub Stejskal Date: Tue, 9 Jun 2026 22:33:39 +0200 Subject: [PATCH 26/26] Remove CVSS threshold checks Signed-off-by: Jakub Stejskal --- .../security/snyk-container-scan/action.yml | 29 +------------------ .../security/snyk-maven-scan/action.yml | 26 +---------------- .github/workflows/test-snyk.yml | 3 -- 3 files changed, 2 insertions(+), 56 deletions(-) diff --git a/.github/actions/security/snyk-container-scan/action.yml b/.github/actions/security/snyk-container-scan/action.yml index 274a143..a6b26b5 100644 --- a/.github/actions/security/snyk-container-scan/action.yml +++ b/.github/actions/security/snyk-container-scan/action.yml @@ -1,5 +1,5 @@ name: "Snyk Container Scan" -description: "Scan a single container image with Snyk, upload results to Code Scanning, and check CVSS threshold" +description: "Scan a single container image with Snyk, upload results to Code Scanning" inputs: imageFile: @@ -8,10 +8,6 @@ inputs: image: description: "Image name for SARIF naming and categorization" required: true - cvssThreshold: - description: "Fail if any CVE has CVSS score above this value" - required: false - default: "8.0" snykMonitor: description: "Whether to also run 'snyk container monitor'" required: false @@ -104,26 +100,3 @@ runs: --project-name="$MONITOR_PROJECT" \ --target-reference="$MONITOR_REVISION" fi - - - name: Check CVSS threshold - shell: bash - env: - IMAGE_NAME: ${{ inputs.image }} - run: | - THRESHOLD=${{ inputs.cvssThreshold }} - JSON_FILE="snyk-container-${IMAGE_NAME}.json" - if [ -f "$JSON_FILE" ]; then - COUNT=$(jq --argjson t "$THRESHOLD" ' - if type == "array" then - [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length - else - [.vulnerabilities[]? | select(.cvssScore > $t)] | length - end' "$JSON_FILE") - if [ "$COUNT" -gt 0 ]; then - echo "::error::Image $IMAGE_NAME has $COUNT vulnerabilities with CVSS score > $THRESHOLD" - exit 1 - fi - echo "No vulnerabilities found with CVSS score > $THRESHOLD" - else - echo "No Snyk results file found, skipping CVSS threshold check" - fi diff --git a/.github/actions/security/snyk-maven-scan/action.yml b/.github/actions/security/snyk-maven-scan/action.yml index 480b9cf..68de261 100644 --- a/.github/actions/security/snyk-maven-scan/action.yml +++ b/.github/actions/security/snyk-maven-scan/action.yml @@ -1,11 +1,7 @@ name: "Snyk Maven Scan" -description: "Run Snyk scan on Maven dependencies with SARIF upload and CVSS threshold check" +description: "Run Snyk scan on Maven dependencies with SARIF upload" inputs: - cvssThreshold: - description: "Fail if any CVE has CVSS score above this value" - required: false - default: "8.0" snykMonitor: description: "Whether to also run 'snyk monitor'" required: false @@ -71,23 +67,3 @@ runs: run: | REPO_NAME="${GITHUB_REPOSITORY##*/}" snyk monitor --project-name="${PROJECT_PREFIX}/${REPO_NAME}" - - - name: Check CVSS threshold - shell: bash - run: | - THRESHOLD=${{ inputs.cvssThreshold }} - if [ -f snyk-results.json ]; then - COUNT=$(jq --argjson t "$THRESHOLD" ' - if type == "array" then - [.[].vulnerabilities[]? | select(.cvssScore > $t)] | length - else - [.vulnerabilities[]? | select(.cvssScore > $t)] | length - end' snyk-results.json) - if [ "$COUNT" -gt 0 ]; then - echo "::error::Found $COUNT vulnerabilities with CVSS score > $THRESHOLD" - exit 1 - fi - echo "No vulnerabilities found with CVSS score > $THRESHOLD" - else - echo "No Snyk results file found, skipping CVSS threshold check" - fi diff --git a/.github/workflows/test-snyk.yml b/.github/workflows/test-snyk.yml index bb033f8..6352437 100644 --- a/.github/workflows/test-snyk.yml +++ b/.github/workflows/test-snyk.yml @@ -58,7 +58,6 @@ jobs: - name: Run Snyk Maven scan uses: ./.github/actions/security/snyk-maven-scan with: - cvssThreshold: "99.0" # Keep false to avoid uploading testing results to Snyk App snykMonitor: "false" # Keep false to avoid uploading results to GitHub Code Scanning page @@ -205,7 +204,6 @@ jobs: with: imageFile: docker-images/container-archives/${{ matrix.image }}.tar.gz image: ${{ matrix.image }} - cvssThreshold: "99.0" snykMonitor: "false" uploadToCodeScanning: "false" projectPrefix: test-operators @@ -255,7 +253,6 @@ jobs: with: imageFile: drain-cleaner-container-amd64.tar.gz image: drain-cleaner-amd64 - cvssThreshold: "99.0" # Keep false to avoid uploading testing results to Snyk App snykMonitor: "false" # Keep false to avoid uploading results to GitHub Code Scanning page