feat: switch to Snyk CLI

conventional-actions · Apr 15, 2023 · 3634baf · 3634baf
1 parent 2c54261
commit 3634baf
Show file tree

Hide file tree

Showing 27 changed files with 54 additions and 32,654 deletions.
diff --git a/.eslintignore b/.eslintignore
diff --git a/.eslintrc.json b/.eslintrc.json
diff --git a/.gitattributes b/.gitattributes
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,8 +4,3 @@ updates:
     directory: /
     schedule:
       interval: daily
-
-  - package-ecosystem: npm
-    directory: /
-    schedule:
-      interval: daily
diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.prettierignore b/.prettierignore
diff --git a/.prettierrc.json b/.prettierrc.json
diff --git a/README.md b/README.md
@@ -12,20 +12,23 @@ To use the GitHub Action, add the following to your job:
 
 ### Inputs
 
-| Name           | Default      | Description                                                                                                   |
-|----------------|--------------|---------------------------------------------------------------------------------------------------------------|
-| `scan-version` | `latest`     | the version of docker scan to install                                                                         |
-| `image`        | required     | name of image to scan                                                                                         |
-| `tag`          | `latest`     | tag of image to scan                                                                                          |
-| `severity`     | `medium`     | only report vulnerabilities of provided level or higher (low, medium, high)                                   |
-| `token`        | required     | use the authentication token to log into the third-party scanning provider                                    |
-| `file`         | `Dockerfile` | specify the location of the Dockerfile associated with the image. This option displays a detailed scan result |
-| `exclude-base` | `false`      | exclude the base image during scanning                                                                        |
+| Name       | Default      | Description                                                                                                   |
+|------------|--------------|---------------------------------------------------------------------------------------------------------------|
+| `image`    | required     | name of image to scan                                                                                         |
+| `tag`      | `latest`     | tag of image to scan                                                                                          |
+| `file`     | `Dockerfile` | specify the location of the Dockerfile associated with the image. This option displays a detailed scan result |
+| `severity` | `medium`     | only report vulnerabilities of provided level or higher (low, medium, high)                                   |
+| `args`     | N/A          | Additional arguments to pass to Snyk                                                                          |
+| `fail-on`  | `all`        | Fail only when there are vulnerabilities that can be fixed.                                                   |
 
 ### Outputs
 
 No outputs
 
+### Environment variables
+
+The `SNYK_TOKEN` environment variable should be set.
+
 ### Example
 
 ```yaml
@@ -42,7 +45,8 @@ jobs:
       - uses: conventional-actions/docker-scan@v1
         with:
           image: octo/kit
-          token: ${{ secrets.SNYK_TOKEN }}
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 ```
 
 ## License

diff --git a/__tests__/main.test.ts b/__tests__/main.test.ts
diff --git a/action.yml b/action.yml
@@ -6,31 +6,57 @@ inputs:
     required: false
     description: 'version of docker scan to use'
     default: latest
+    deprecationMessage: 'no longer available'
+  token:
+    required: false
+    description: 'use the authentication token to log into the third-party scanning provider'
+    deprecationMessage: 'no longer available'
+  exclude-base:
+    required: false
+    description: 'exclude the base image during scanning'
+    default: 'false'
+    deprecationMessage: 'no longer available'
   image:
     required: true
     description: 'name of image to scan'
   tag:
     required: false
     description: 'tag of image to scan'
-  severity:
-    required: false
-    description: 'only report vulnerabilities of provided level or higher (low, medium, high)'
-    default: 'medium'
-  token:
-    required: false
-    description: 'use the authentication token to log into the third-party scanning provider'
+    default: 'latest'
   file:
     required: false
     description: 'specify the location of the Dockerfile associated with the image. This option displays a detailed scan result'
     default: Dockerfile
-  exclude-base:
+  severity:
     required: false
-    description: 'exclude the base image during scanning'
-    default: 'false'
+    description: 'only report vulnerabilities of provided level or higher (low, medium, high, critical)'
+    default: 'medium'
+  args:
+    required: false
+    description: 'Additional arguments to pass to Snyk'
+  fail-on:
+    required: false
+    default: all
+    description: 'Fail only when there are vulnerabilities that can be fixed.'
 runs:
-  using: 'node16'
-  pre: 'dist/setup/index.js'
-  main: 'dist/main/index.js'
+  using: "docker"
+  image: "docker://snyk/snyk:docker"
+  env:
+    SNYK_INTEGRATION_NAME: GITHUB_ACTIONS
+    SNYK_INTEGRATION_VERSION: docker
+  args:
+    - snyk
+    - container
+    - test
+    - --sarif
+    - --severity-threshold
+    - ${{ inputs.severity }}
+    - --fail-on
+    - ${{ inputs.fail-on }}
+    - --file
+    - ${{ inputs.file }}
+    - ${{ inputs.args }}
+    - ${{ inputs.image }}:${{ inputs.tag }}
 branding:
-  icon: zoom-in
+  icon: alert-triangle
   color: purple